Professional Documents
Culture Documents
Keywords: Information Technology Law, Non-State Actors, Cyber War, National Se-
curity, Internet Governance.
This paper was initially written in partial fulfilment of my LLB at Monash University.
I wish to thank Professor Douglas Guilfoyle and Kathryn Browne for their insightful
feedback on earlier drafts of the manuscript; and the editorial team at The Indonesian
Journal of International and Comparative Law for their excellent assistance. Any
errors remain my own.
In April 2001, a U.S. surveillance plane and a Chinese fighter jet collide
over the South China Sea. The Chinese F-8 crashes, killing its pilot.
Meanwhile, the U.S. plane makes an emergency landing on Hainan Is-
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
land. China detains twenty-four U.S. crew members for eleven days in
a military base.2
A Sino-U.S. “cyber-war” commences.3 U.S. hackers retaliate against
the crew’s detention, defacing Chinese websites with messages including:
“first you China men try and take our plane and crew . . . what is next?
Our home land? Our freedom?”4 In response, “patriotic” Chinese
hacktivists strike back. In a self-branded “cyber-operation defending
our country,”5 hacktivists deface U.S. “.gov” and “.com” websites,6
leaving messages, including: “long live Chinese nationality!”7 Notably,
the hacktivists on both sides were private actors, who rationalized
their actions as legitimate patriotic demonstrations.8 This fact has led
some to speculate that the Chinese government’s information warfare
strategy includes “sponsoring” Chinese hacktivists.9 The terminology
10. See Stefan Talmon, The Responsibility of Outside Powers for Acts of Secessionist
Entities, 58 Int’l & Comp. L. Q. 493 (2009).
11. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, arts.
2(b), G.A. Res 56/83, 53rd Sess., Jan. 28, 2002, U.N. Doc. A/RES/56/83 (Dec.
12, 2001).
12. This paper adopts the definition of cyberspace as: the “[g]lobal domain within
the information environment consisting of the interdependent network of in-
formation technology infrastructures, including the internet, telecommunica-
tions networks, computer systems, and embedded processors and controllers.”
U.S. Dep’t of Defence, Deputy Secretary of Defense Memorandum:
The Definition of Cyberspace (May 12, 2008).
13. The State(s) from which the cyberattacks originate, or whose networks are im-
plicated in the cyberattack (territorial State). The State(s) whose networks are
injured in a cyberattack (victim State).
14. 1 Oppenheim’s International Law: Peace 391-92 (Robert Jennings & Sir
Arthur Watts eds, 9th ed. 2008).
15. Int’l L. Comm., supra note 11, at 38 ch. II. 91 art. 31.
193
16. Ian Brown, Expert Witness Statement for Big Brother Watch and Others Re:
Large-Scale Internet Surveillance by the U.K. 3 para. 7 (App. No. 58170/13 to
Eur. Ct H. R. (Sept. 27, 2013)), available at https://papers.ssrn.com/sol3/pa-
pers.cfm?abstract_id=2336609 (last visited Jan. 18, 2017).
17. A.B.I. Res., “Global Cybersecurity Index and Cyberwellness Profiles,” (Int’l
Telecommunications Union, Apr. 2015) (hereinafter International Telecommu-
nications Union); e.g., Indian Gov’t Ministry of Electronics & Informa-
tion Technology, National Cyber Security Policy (2013); Dep’t Prime
Minister & Cabinet, Australia’s Cyber Security Strategy (2016);
Gov’t of the U.K., The U.K. Cyber Security Strategy (2011); Executive
Off. of the President of the U.S., The National Strategy to Secure
Cyberspace (2003).
18. See Group of Governmental Experts on Developments in the Field of Informa-
tion and Telecommunications in the Context of International Security, U.N.
GAOR, 17th sess., Agenda Item 93, U.N. Doc A/70/174 (July 22, 2015).
19. James A. Lewis, Confidence-Building and International Agreement in Cyber-
security, in 4 Disarmament Forum: Confronting Cyberconflict 51, 58
(Kerstin Vignard et al. eds, Apr. 2011).
20. Scott J. Shackleford, Scott Russell & Andreas Kuehn, Unpacking the Interna-
tional Law on Cybersecurity Due Diligence: Lessons From the Public and Private
Sectors, 17 Chi. J. Int’l L. 1, 25-34 (2016) (using the U.S.’s, German and Chi-
nese cyber frameworks to illustrate the difficulties of custom crystallising in
cyberspace).
194
Liu
collaboration. Obliging each State to take all available measures to stop
cyberattacks which emanate from their territories would improve the
security of interconnected networks globally.21
Arguably, to date, no cyberattack has risen to the level of a use
of force. Aggrieved States have not invoked State responsibility for
a failure to prevent injurious cyberattacks. Yet, live trackers record
over six million cyberattacks daily,22 and fear of cyber insecurity has
gripped the world.23 States increasingly invest in cyber capabilities to
21. Division for Treaty Aff., U.N. Off. on Drugs & Crime, Comprehensive
Study on Cybercrime (Draft) 1-22 (Feb. 2013).
22. Norse (2016), http://map.norsecorp.com/; Checkpoint Software Technologies
(2016), available at https://threatmap.checkpoint.com/ThreatPortal/livemap.
html (last visited Mar. 1, 2016)
23. Xu Longdi, China’s Internet Development and Cybersecurity: Policies and Prac-
tices, in Chinese Cybersecurity and Defence 46 (Daniel Ventre ed., 2014);
Kara Scannell & Gina Chon, F.T. Investigation: Cyber Insecurity U.S. Agencies
are Revealed to Lack Basic I.T. Defences, Financial Times (July 15, 2015), avail-
able at https://www.ft.com/content/698deb42-200b-11e5-aa5a-398b2169cf79
(last visited Oct. 21, 2016).
24. U.N. Institute For Disarmament Res., The Cyber Index International
Security Trends and Realities xi, 1, 3, 9-55, 117 (Mar. 2013).
25. E.g., Cyberwar, Law and Ethics for Virtual Conflicts (Jens David Oh-
lin, Kevin Govern & Claire Finkelstein eds, 2015); Tallinn Manual on the
International Law Applicable to Cyber Warfare (Michael N Schmitt
ed., 2013); Committee on Offensive Information Warfare, Technolo-
gy, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cy-
berattack Capabilities (William A. Owens, Kenneth W. Dam & Herbert S.
Lin eds, 2009).
26. Matthew J Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A
Justification for the Use of Active Defenses against States Who Neglect Their Duty
to Prevent, 201 Military. L. Rev. 1, 79 (2009) (citing Richard Garnett & Paul
Clarke, Cyberterrorism: A New Challenge for International Law, in Enforcing
International Law Norms Against Terrorism (Andrea Bianchi & Yasmin
Naqvi eds, 2004)).
195
Liu
in advance of such an event.27 It aims to comprehensively define the
contents and triggers of a cyber-diligence obligation, and offer reasoned
conclusions which States could implement in practice. The literature on
cyberattacks in international law, as of this writing, has not addressed
this subject matter in detail. The present paper’s proposed framework
for cyber-diligence fills this void.
The present paper focusses on a State’s cyber-diligence obligation
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
27. Thomas M. Franck, What Happens Now? The United Nations after Iraq, 97 Am.
J. Int. Law. 607, 620 (2003); Ronald Dworkin, A New Philosophy for Interna-
tional Law, 41 Phil. & Pub. Aff. 2, 15 (2013).
28. See U.N. Charter art. 2(4), art. 51; Schmitt ed., Tallinn Manual, supra note
25, 45, 47-8; Michael Schmitt, Computer Network Attack and the Use of Force in
International Law: Thoughts on a Normative Framework, 37 Colum. J. Trans-
nat’l L. 914 (1999); Terry D. Gill & Paul A. L. Ducheine, Anticipatory Self-De-
fense in the Cyber Context, 89 Int’l. L. Studies. 440 (2013); Matthew C. Wax-
man, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36
Yale J. Int’l L. 421, 431 (2011).
29. Committee on Offensive Information Warfare, supra note 25, at 34, 67.
30. Application of Convention on Prevention and Punishment of Crime of Geno-
cide (Bosn. & Herz. v. Serb. & Montenegro), 2007 I.C.J. 43, 91, ¶ 221 (Feb. 26)
(hereinafter Genocide Case); United States Diplomatic and Consular Staff in
Tehran (U.S. v. Iran), 1980 I.C.J. Rep. 3, 32-33 para. 68 (May 24) (hereinafter
Tehran Hostages); Seabed Disputes Chamber of the International Tribunal for
the Law of the Sea, Responsibilities and Obligations of States Sponsoring Per-
sons and Entities with Respect to Activities in the Area (Advisory Opinion)
(2011) I.T.L.O.S. Rep. 10, 41 paras. 110-112; Pulp Mills on the River Uruguay
(Arg. v Ur.), Merits, 2010 I.C.J. Rep. 14, 77 para. 187.
196
Liu
incur responsibility “because the desired result is not achieved.”31
Second, we define the content of States’ cyber-diligence obligations,
which should be distinct from due diligence obligations in environmental
law.32 However, States should implement the polluter pays principle.
Private industry owners, as the proponents of cyber-infrastructure,
should bear a preventive obligation to secure their networks and “self-
police”: monitoring, filtering, and isolating the sources of cyberattacks.
Cyberattacks are often covertly executed and realize instant effects.
31. Id.; James Crawford, Second Report on State Responsibility, U.N. Doc. A/
CN.4/498 (Mar. 17, Apr. 1 and 30, July 19, 1999), at 21 para. 57.
32. Shackleford, Russel & Kuehn, supra note 20, at 35-36; cf. Thilo Marauhn, Cus-
tomary Rules of International Environmental Law: Can they Provide Guidance
for Development a Peacetime Regime for Cyberspace?, in Ziolkowski ed., supra
note 9, at 482; Katharina Ziolkowski, General Principles of International Law as
Applicable in Cyberspace, in id. at 167.
33. Brigitte Stern, The Elements of An International Wrongful Act, in The Law of
International Responsibility 208 (James Crawford, Alain Pellet, & Simon
Olleson eds, 2010).
197
Liu
favourable to best-practice exchanges of cyber-technology. States also
have different capabilities to intervene in cyberspace. As a result, their
capacity should limit their responsibility.34
Cyberattacks transcend exclusive territorial control.35 But the threat
does not necessitate a reinvention of international law.36 The proposed
cyber-diligence framework preserves State-centric responsibility in
cyberspace,37 extending post-Westphalian sovereignty to a relatively
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
34. Alan Boyle, Liability for Injurious Consequences of Acts Not Prohibited by In-
ternational Law in International Responsibility, in id. at 98; Benedikt Pirker,
Territorial Sovereignty and Integrity and the Challenges of Cyberspace, in id. at
216.
35. Peter Margulies, Sovereignty and Cyber Attacks, 14 Melbourne J. Int’l L. 496,
513 (2013); Chris C. Demchack & Peter Dombrowski, Rise of a Cybered West-
phalian Age, 5 Strategic. Stud. Q. 31, 33 (2011); Uta Kohl, Jurisdiction in
cyberspace, in Research Handbook on International Law and Cyber-
space 30 (Nicholas Tsagourias & Russell Buchan eds, 2015).
36. See Yaroslav Radziwill, Cyberattacks and the Exploitable Imperfec-
tions of International Law 1 (2015).
37. Int’l L. Comm. Stud. Group, Fragmentation of International Law: Difficulties
Arising from the Diversification and Expansion of International Law, in Report
of the Study Group of the International Law Commission (58th Sess,
U.N. Doc. A/CN.4/L/702 (May 1 – June 9, July 3 – Aug. 11, 2006)), at 12 para.
10.
38. Jon Bing, Building Cyberspace: A Brief History of Internet, in Internet Gover-
nance: Infrastructure and Institutions 38 (Lee A. Bygrave & Jon Bing
eds, 2009).
39. James Crawford, International Law as Discipline and Profession, 106 Am. Soc’y
Int’l L. Proc. of the Annual Mtg 472 (2012).
198
Liu
II. THE PRIMARY OBLIGATION OF DUE
DILIGENCE IN STATE RESPONSIBILITY
46. Memorandum from the U.S. Dep’t. of Defense, supra note 12.
47. Schmitt ed., supra note 25, rule 1 cmt para. 5.
48. James Crawford, Brownlie’s Principles of Public International Law
204 (8th ed., 2012).
49. See also Duncan Hollis, Re-Thinking the Boundaries of Law in Cyberspace, in
Ohlin, Govern & Finkelstein eds, supra note 25, at 129.
50. Thomas Wingfield, The Law of Information Conflict 17 (2000); U.S.
Dep’t. of Defense, Dictionary of Military and Associated Terms,
http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf.
51. Wingfield, supra note 50.
52. Jack Goldsmith & Tim Wu, Who Controls the Internet? Illusions of a
Borderless World 149-50, 181-83 (2008); Hollis, supra note 49.
53. Schmitt ed., supra note 25, rule 1 cmt para. 1.
54. Wolff Heintschel von Heinegg, Legal Implications of Territorial Sovereignty in
Cyberspace, in Proceedings of the 4th International Conference on
Cyber Conflict 9-10, 15 (Christian Czosseck, Rain Ottis & Katharina Ziol-
kowski eds, 2012); Schmitt ed., supra note 25, rule 5 cmt para. 2.
55. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, su-
pra note 11, 34-35 art. 2 cmt para. 4; James Crawford, State Responsibili-
200
Liu
Some States resist the idea of cyber-diligence obligations, avoiding
additional burdens on their resources and perceived overregulation
of cyberspace.56 Others firewall domestic internet, creating a “closed
national network” averse to foreign influence.57 Cyber-diligence’s
current generality renders it extant in theory, but an afterthought in
practice.
This section identifies the source of cyber-diligence obligations.
But States ought to be informed of what positive actions fulfil the
1. Undesirable Uncertainty
Obligations of conduct readily adapt to cyber-diligence. Their flexibility
accords with a disparity between the technical capabilities of different
States.67 The obligation does not levy excessive burdens on developing
States, who typically do not have the capacity to carry out diligence on
the same level as developed States.68 In evolving areas of international
law, obligations of conduct “[integrate] new standards of diligence . . .
into customary international law as they are progressively adopted by
State practice.”69
70. Genocide Case, supra note 30, at 221 para. 430; Seabed Mining, Advisory Opin-
ion, (2011) I.T.L.O.S. Rep. 10, para. 110; Crawford, supra note 55, at 229-230.
71. Genocide Case, supra note 30, at 221 para. 430.
72. Economides, supra note 60, at 378; cf. Second Report on State Responsibility,
U.N. Doc. A/CN.4/498, at 21 para. 58.
73. Economides, supra note 60, at 376.
74. Pierre-Marie Dupuy, International Liability of States for Damage Caused by
Transfrontier Pollution, in Legal Aspects of Transfrontier Pollution 372
(Organ. for Econ. Cooperation & Dev. ed., 1977).
75. See U.S. v. Iran, supra note 30, at 12-13 para. 18.
76. Economides, supra note 60, at 377.
77. See infra, III.F.3.
203
Liu
B. Cyber-Diligence should not adopt the Preventive Principle
We begin our examination with the preventive principle, a significant
element within established due diligence models. The principle
requires States to take preventive measures to reduce the likelihood
of transboundary damage where the risk is known.78 Preventive
cyber-diligence would oblige States to create and maintain a clean
infrastructural environment, in advance of any cyberattacks.79 We will
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
78. International Liability for Injurious Consequences Arising out of Acts not Prohib-
ited by International Law, 2 Y.B. Int’l L. Comm. 148 (2001) (hereinafter Draft
Articles on Transboundary Harm); Crawford, supra note 48, at 356-57.
79. Marauhn, supra note 32, at 475; Ziolkowski, supra note 32, at 185-86.
80. Precautionary measures are inherently part of due diligence obligations in the
marine environment. Responsibilities and Obligations of States ponsoring Per-
sons and Entities with Respect to Activities in the Area (Request for Advisory
Opinion submitted to the Seabed Disputes Chamber), Advisory Opinion, IT-
LOS Reports 2011, at 46 (Feb. 1, 2011); see Cass R. Sunstein, Worst-Case
Scenarios 123 (2007).
81. See infra, IV.B; Schmitt ed., supra note 25, rule 11, 13; Gill & Ducheine, supra
note 28, 444-45; Scott J. Shackleford, From Nuclear War to Net War: Analogis-
ing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192, 218-19
(2009); Jason Barkham, Information Warfare and International Law on the Use
of Force, 34 N.Y.U. J. Int’l L. & Pol. 57-58 (2001); Detlev Wolter, Looking to-
wards the Future of Cyber Security: What Does A Stable Cyber Environment
Look Like? Speech delivered at the UNIDIR Cyber Security Conference 2012
(Geneva, Nov. 8-9, 2012).
82. Ziolkowski, supra note 32; Marauhn, supra note 32; Shackleford, Russel &
Kuehn, supra note 20.
83. Group of Governmental Experts on Developments in the Field of Information
and Telecommunications, U.N. Doc. A/70/174.
84. E.g., Shackleford, Russel & Kuehn, supra note 20, at 35-40.
85. Id. at 35-36; Marauhn, supra note 32, at 482, Ziolkowski, supra note 32, at 167,
169, 186; Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber
204
Liu
1. Risk assessment before the harm;
2. Consultations on preventive measures with “interested” States;
3. International cybersecurity cooperation, and;86
4. Monitoring suspicious activity.
98. Trail Smelter (U.S. v. Can.), 3 R.I.A.A. 1905, 1950 (Mixed Claims Comm’n
1938, 1941).
99. Pulp Mills, supra note 97, at 79-80 para. 197; Ziolkowski, supra note 32, at 166;
Cedric Rynagaert, Working Session 1 (Study Group on Due Diligence in Inter-
national Law, 2014).
100. Seabed Mining Advisory Opinion, (2011) I.T.L.O.S. Rep. 10, paras 124-150 (cit-
ing Southern Bluefin Tuna Case (Austl. & N.Z. v. Japan), Request for Provi-
sional Measures, Order, Int’l Trib. for the L. of the Sea, Aug. 27, 1999, paras 77,
80; Pulp Mills, supra note 97, at 82-83 para. 204.
101. Gabčíkovo-Nagymaros, supra note 97, at 54 para. 78; Crawford, supra note
48, at 352 para. 1.
102. Convention on Civil Liability for Damage resulting from Activities Danger-
ous to the Environment, art 2(1), C.E.T.S. (No.150), entered into force June 21,
1993.
103. Marauhn, supra note 31, at 483.
104. Id.
207
Liu
numerous States before it harms a network.105
Second, the I.C.J.’s jurisprudential promotion of the preventive
principle aims to secure the environment’s long term sustainability and
avoid disturbance to its ecological balance.106 Environmental damage
cannot easily be undone.107 The harm’s irreversibility underpins
societies’ willingness to adopt aggressive steps to control the perceived
risk.108 This rationale is not transferable to cyberspace. Cyberspace, still
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
113. Recommendation of the Council of May 26, 1972 on Guiding Principles con-
cerning International Economic Aspects of Environmental Policies, Principle
4, C (72) 128 (May 26, 1972).
114. Declaration of the United Nations Conference of the Human Environment,
Principle 16, U.N. Doc. A/Conf.48/14/Rev. 1 (1973); 11 I.L.M. 1416 (1972).
115. See infra, III.D.
116. Int’l L. Comm., International Liability for Injurious Consequences Arising Out
of Acts Not Prohibited by International Law, 58th sess., 2910th mtg, U.N. Doc.
A/CN.4/562 (May 1-June 9, July 3-Aug 9, 2006), at 59 principle 6.
117. Régis Chemain, The “Polluter Pays” Principle, in Crawford, Pellet & Olleson
eds, supra note 33, at 883.
118. Id.
119. Convention on Civil Liability for Damage Caused during Carriage of Dan-
gerous Goods by Road, Rail and Inland Navigation Vessels, art. 5, opened for
signature Feb. 1, 1990, U.N. Doc. ECE/TRANS/79.
120. International Convention on Civil Liability for Oil Pollution Damage, 9 I.L.M.
209
Liu
In cyberspace, the polluter’s “payment” should expand beyond
monetary compensation (damages or taxes) to individual civil and
criminal liability. The “cyber-polluter” should include both individual
hackers and infrastructure operators. Hackers are responsible for the
causative activity: they deliver cyberattacks which injure a network.
Operators who fail to secure their infrastructure enable cyberattacks
to be directed from, or routed through, their networks. Liability should
extend to both these parties located at the source of the damage.121 This
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
127. Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Poli-
cy Options, in Nat’l Res. Council, Proceedings of a Workshop on De-
terring Cyberattacks: Informing Strategies and Developing Options
for U.S. Policy 8 (2010).
128. See III.B.2.
129. Chemain, supra note 117, at 883.
130. Id. at 882-83.
131. Id. at 879.
132. Although such a duty’s effectiveness is questionable. See infra, III.E.
133. Tikk, Kaska & Vihul, supra note 85, at 15; Project Grey Goose, Phase I
Report (2008), available at https://zh.scribd.com/doc/6967393/Project-Grey-
Goose-Phase-I-Report (last visited Apr. 2, 2016).
134. A denial of service attack uses one computer to flood a target network. The tar-
get network, unable to handle the volume of requests, is forced to shut down.
Tallinn Manual, supra note 25, at 259.
211
Liu
distributed denial of service (“DDOS”),135 defacements, and spam.
After the onslaught, Estonia sought to subject alleged hackers to
computer sabotage crimes in their Penal Code.136 The U.S. has also
prosecuted five Chinese hackers under their criminal code, despite the
hackers being identified as members of the Chinese military,137 and by
extension, carrying out official State organ functions.138
But successful investigation and prosecution requires “dual
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
135. A distributed denial of service attack uses multiple computers to flood a target
network. This is often achieved using botnets. Tallinn Manual, supra note 25,
at 259; Tikk, Kaska & Vihul, supra note 85, at 19, 112.
136. Tikk, Kaska & Vihul, supra note 85, at 26-28, 57-58; see also Radziwill,
supra note 36, at 82.
137. U.S. v Wang Dong, Criminal No. 14-118 (W.D. Pa., May 1, 2014).
138. James Crawford, First Report on State Responsibility, U.N. Doc. A/CN.4/490
(Apr. 24, May 1, 5, 11 and 26, July 22 and 24, Aug. 12, 1998), 34 para. 158.
139. Division for Treaty Aff., United Nations Office on Drugs and Crime,
Comprehensive Study on Cybercrime (Draft) 60 (February 2013); U.N.
Off. on Drugs & Crime, The Use of the Internet for Terrorist Purpos-
es 134 para. 437 (Sept. 2012).
140. Id.
141. See infra, IV.A.1.
142. Tikk, Kaska & Vihul, supra note 85, at 26-28.
143. See infra, III.E.
212
Liu
environmental law does not fit with cyberspace, we visit another
possible analogy for cyber-diligence: due diligence in the marine
environment. As is taken up later, cyberspace, unlike the high seas,
is not a res communis. An analogy with the marine environment also
impractically extends the scope of cyber-diligence obligations to
nationals outside territorial control. But it provides guidance for an
adequate regulatory framework in cyber-diligence.
144. United Nations Convention on the Law of the Sea, art. 192, 1833 U.N.T.S. 3,
entered into force Nov. 16, 1994 (hereinafter “UNCLOS”).
145. Id. art. 193.
146. UNCLOS, supra note 144, art. 58(3), 62(4); Request For An Advisory Opinion
Submitted by the Sub-Regional Fisheries Commission, Advisory Opinion, Int’l
Trib. for the L. of the Sea, Case No 21 (Apr. 2, 2015), paras 120-124 (hereinafter
SRFC Advisory Opinion); The Republic of Philippines v The People’s Republic
of China, Award, Perm. Ct of Arbitration, Case No 2013-19 (July 12, 2016),
[940] (hereinafter Philippines v. China).
147. Philippines v. China, supra note 146, at 944; SRFC Advisory Opinion, supra
note 146, paras 133-36; Southern Bluefin Tuna, supra note 100, para. 70.
148. Philippines v China, supra note 146, para. 944; Pulp Mills, supra note 97, at 79-
80 para. 197.
213
Liu
tribunal in the South China Sea case found China breached their
due diligence obligation.149 China knowingly tolerated “the propeller
chopping method” exploiting living reefs across the Spratlys within
their jurisdiction and control.150 China knew that their flagged vessels
poached endangered species outside of their territorial control, which
“[inflicted] significant damage on rare or fragile ecosystems.”151
Attaching due diligence obligations to the conduct of nationals
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
would simply not work in the same way in cyberspace. A State’s cyber-
diligence obligation should not extend to terminating a cyberattack
initiated by a national abroad.152 In the sea, a flag vessel’s physical location
is identifiable. A State’s due diligence obligation follows their flag vessels’
chartered territory. In cyberspace, a State exercises authority over
infrastructure within their exclusive control both in their territory and
extraterritorially.153 But a State’s jurisdictional control of their nationals
assumes different characteristics. The operations of transnational non-
State actors (and their data trails) are often borderless, simultaneously
residing in multiple jurisdictions.154
155. E.g., Shanghai Cooperation Org., International Code of Conduct for Informa-
tion Security, art. 2 (3)-(4), U.N. GAOR, 69th sess., Agenda item 91, U.N. Doc.
A/69/723 (Jan. 13, 2015); European Convention on Cybercrime, supra note
122, arts 4-5; Arab Convention on Combating Information Technology Of-
fences, art. 8, League of Arab States General Secretariat, signed and entered into
force Dec. 21, 2010.
156. Seabed Mining Advisory Opinion, supra note 70, paras 212-41; UNCLOS, su-
pra note 144, art. 139 para. 1, Annex III art. 4(4).
157. UNCLOS, supra note 144, art. 139(1), Annex III art. 4(4); Seabed Mining Ad-
215
Liu
and regulations and [take] administrative measures which are, within
the framework of its legal system, reasonably appropriate for securing
compliance by persons under its jurisdiction.”158
The following table distils principles from ITLOS’ advisory
opinion, summarising how they may be applied to cyber-diligence.159
These suggestions should be read in light of the “cyber-polluter pays”
argument.160 The same due diligence principles apply under UNCLOS
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
visory Opinion, supra note 70, paras 124-50; Southern Bluefin Tuna, supra note
100, para. 77; see infra, III.C. and V.
158. UNCLOS, supra note 144, annex III art. 4(4) (emphasis added).
159. Donald K. Anton, Robert A. Makgill & Cymie R. Payne, Seabed Mining Adviso-
ry Opinion on Responsibility and Liability, 41 Envt’l Pol’y. & L. 60, 64 (2011).
160. See infra, III.C.
216
Liu
217
Liu
These measures depend on the capacity and policy traditions of the
territorial State,161 and favour governmental intervention. Temporary
restrictions on the free market in certain sectors facilitates efficient
pursuit of wider social goals, including cybersecurity.
Cyber-diligence and due diligence obligations from the Law of
the Sea have diverging jurisdictional features. However, the Seabed
Disputes Chamber offers a paradigm against which a State’s domestic
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
173. International Telecommunications Union, supra note 17, at 29; Moore, supra
note 127, at 8.
174. Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Po-
litical Change, 52 Int’l. Org. 887, 895-98 (1998).
175. Czosseck, supra note 9, at 16.
176. International Telecommunications Union, supra note 17, at 35.
177. Tikk, Kaska & Vihul, supra note 85, at 61.
178. Economides, supra note 60, at 378.
179. Southern Bluefin Tuna, supra note 100, at 18-19 para. 57; Southern Bluefin
220
Liu
obliged to continue to seek settlement through negotiation, rather than
coming to an actual settlement.180 A unilateral referral of the dispute
to judicial settlement or arbitration was ineffective.181 Indeed, as the
Estonia-Russia Treaty illustrates, States exercise discretion in their
adherence to a cooperation treaty.182
Second, some commentators stress that States bear a legal obligation
to cooperate in reducing cyber threats, as cyberspace integrity is
relevant to international security.183 Katharina Ziolkowski argues: “the
Tuna (N.Z. v. Japan; Austl. v. Japan), 38 I.L.M. 1624, 1647 (Judge ad hoc Shear-
er).
180. Id. at 18-19 para. 54-57; but see Economides, supra note 60, at 380 note 44.
181. Southern Bluefin Tuna (N.Z. v. Japan; Austl v. Japan), Jurisdiction and Admis-
sibility, Int’l Trib. for the L. of the Sea, Aug. 4, 2000, 39 I.L.M. 1359, at 18-19
para. 57.
182. Delbrück, supra note 162, at 13; Rüdiger Wolfrum, International Law of Coop-
eration, Max Planck Encyclopedia of Public International Law paras
5, 16 (2010), http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/
law-9780199231690-e1427.
183. Ziolkowski, supra note 32, at 177-78.
184. Id.
185. UNCLOS, supra note 144, art. 136; Wolfrum, supra note 182, para. 27.
186. UNCLOS, supra note 144, art. 87, 89; Hugo Grotius, The Freedom of the
Seas, Or, the Right Which Belongs to the Dutch to Take Part in the
East Indian Trade (New York: Oxford University Press, 1916) (1608).
187. Treaty on Principles Governing the Activities of States in the Exploration and
Use of Outer Space, including the Moon and Other Celestial Bodies, art. 2,
G.A. Res. 2222(XXI), U.N. GAOR, 21st sess., 1499th plen. mtg (Dec. 19, 1966).
188. Tsagourias, supra note 109, at 28. See also Heinegg, supra note 57, at 9-10.
221
Liu
to dividing the space into smaller parts.189 Cyberspace is not a natural,
indivisible asset. Each State is encouraged to invest in cyberspace to
reap economic, political, and social benefits.190
States currently have no incentive to agree on a common regulatory
regime in cyberspace. Doing so would decrease their margin of
appreciation to set cyberspace priorities. Any common interests in
cyberspace fasten on ensuring the platform’s development, so that each
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
189. Tsagourias, supra note 109, at 24-25; Hollis, supra note 49, at 135-36.
190. Id.; see infra, III.C.
191. Demchack & Dombrowski, supra note 35, at 32.
192. Joint Communication to the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the Regions, Cyberse-
curity Strategy of the European Union: An Open, Safe and Secure Cyberspace
[2013] JOIN/2013/01 final; Directive of the European Parliament and of the
Council concerning measures to ensure a high common level of network and
information security across the Union, O.J. L. 194/1 (2013).
193. Shackleford, Russell & Kuehn, supra note 20, at 28 note 121.
194. Jack Goldsmith & Eric Posner, The Limits of International Law 13
(2005); Thomas Hobbes, Leviathan 184 (Cambridge University Press, 1996)
(1651).
195. Goldsmith & Posner, supra note 194.
222
Liu
cooperation to bring utopian cybersecurity will inevitably disappoint.
But the value of regional and multilateral cooperation schemes to
improving cybersecurity cannot be ignored.196
As the Estonian incident demonstrates,197 the effectiveness of
multilateral conventions in a cyberattack depends on a signatory’s
willingness to assist under those circumstances. Failure to assist incurs
no enforceable sanction,198 but these conventions could spur domestic
cybersecurity adoption.199 The fact that some States already cooperate
1. Introduction
International terrorism and cyberattacks share parallels. The definition
of international terrorism has long been disputed.202 We adopt the
definition established in the Security Council’s (“S.C.”) Resolution
1566: terrorism consists of acts “with the purpose to provoke a state
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
202. Convention for the Prevention and Punishment of Terrorism (League Con-
vention 1937), Annex I art. 1(2), LoN Doc. C.94.M.47.1938.V, Int’l Conf. Proc.
on the Repression of Terrorism, Geneva (Nov. 1-16, 1937); International Con-
vention for the Suppression of the Financing of Terrorism, art. 2(1)(b), G.A.
Res. 54/109, U.N. GAOR, 54th sess., 6th plen mtg, U.N. Doc. A/54/109; Inter-
locutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide,
Perpetration, Cumulative Charging, Special Tribunal for Lebanon, Appeals
Chamber, Case No STL-11-01/1/I/AC/R176bis (Feb. 16, 2011), 87; Thomas
Weatherall, The Status of the Prohibition of Terrorism in International Law:
Recent Developments, 46 Geo. J. Int’l L. 589, 591-597 (2015); Trapp, supra
note 63, at 18-23; Tal Becker, Terrorism and the State: Rethinking the
Rules of State Responsibility 85 (2006); Ben Saul, Defining Terrorism
in International Law (2008).
203. S.C. Res. 1566, U.N. SCOR., 5053rd aaa, U.N. Doc. S/Res/1566 (Oct. 8, 2004).
204. Trapp, supra note 63, at 21.
205. Samuel P. Huntington, Transnational Organisations, 25 World Pol. 334-35,
365 (1973).
206. Id. at 365.
207. Hartmut Behr, Political Territoriality and De-Territorialisation, 39 Area 112,
113-14 (2007).
224
Liu
Behr describes these threats as “real, effective and powerful, [but
not] permanently present and visible. They appear . . . to have gone
to nowhere, when suddenly they reappear at different places.”208 A
terrorist blends into the civilian population before carrying out an act
of violence. A cyberattack’s malicious traffic blends indiscriminately
into the internet exchange before it inflicts injuries.209
215. D.C. Elliot, Anonymous Rising, 36 LiNQ 96-97 (2009); Anonymous, Anon-
ymous Official (2016), available at https://www.youtube.com/user/Anony-
mousWorldvoce/videos (last visited Jun. 18, 2016).
216. Brian B. Kelly, Investing in a Centralised Cybersecurity Infrastructure: Why
“Hacktivism” Can and Should Influence Cybersecurity Reform 92 Buff. U. L.
Rev. 1663, 1668 (2012).
217. Gabriella Coleman, Beacons of Freedom, 41 Ind. Censor’s. 62-63 (2012).
218. Anonymous, Anonymous to Polish Government, This is Your Last Chance
(2012), available at https://www.youtube.com/watch?v=T6-XSQnPeQQ (last
visited Jun. 18, 2016).
219. Coleman, supra note 217.
226
Liu
3. Incorporating the Counter-Terrorism Model of Due Diligence
States bear an obligation to prevent the terrorist conduct of non-State
actors. The obligation existed within custom and conventions well
before 9/11.220 However, this paper focusses on the counter-terrorism
standard of due diligence established within Resolution 1373.
In handing down Resolution 1373, the S.C. exercised its Chapter
VII powers in a legislative fashion for the first time, “[imposing]
universally binding obligations without temporal or geographic
International Terrorism, in Bianchi & Naqvi eds, supra note 26, at 83-92; see
also Sunstein, supra note 85, at 123.
228. Resolution 1373, supra note 222, para. 6.
229. Trapp, supra note 63, at 78.
230. Curtis A. Ward, Building Capacity to Combat International Terrorism: The Role
of the United Nations Security Council, 8 J. Conflict & Sec. L. 289, 299 (2003);
Rosand, supra note 224, at 335.
231. Ward, supra note 230, at 301-02; Becker, supra note 202, at 127.
232. Developments in the Field of Information and Telecommunications in the Con-
text of International Security, G.A. Res. 68/243, U.N. GAOR, 68th sess., 72nd
plen. mtg, U.N. Doc. A/Res/68/243 (Dec. 27, 2013).
228
Liu
that: “States . . . should seek to ensure that their territory is not used
by non-State actors to commit [internationally wrongful acts] using
ICTs.”233 As a result, 25 States have tabled reports on their internal
cybersecurity policies.234
The U.N. should go beyond inviting open-ended cybersecurity
reports and establish a C.D.C. to regulate international capacity
building efforts for cyber-diligence. The C.D.C’s overall goal should be
to assist (particularly developing) States building capacity to prevent
250. Hugo Grotius, De Jure Belli ac Pacis, Book II ch. XXI para. II (Nabu Press,
2011) (1625).
251. Jan Hessbruegge, The Historical Development of the Doctrines of Attribution
and Due Diligence in International Law, 36 N.Y.U. J. Int’l L. & Pol. 265, 274
(2004); Articles on State Responsibility, supra note 11, at 34-35 art. 2 cmt para.
3.
252. Martii Koskenniemi, Doctrines of State Responsibility in International Respon-
sibility, in Crawford, Pellet & Olleson eds, supra note 33, at 50; Ian Brownlie,
System of the Law of Nations: State Responsibility—Part 1 45 (1983);
Bin Cheng, General Principles of Law as Applied by International
Courts and Tribunals 225-26 (1994).
253. A botnet is “a network of compromised computers.” “The bots” are remote-
ly controlled by the “botherder” and conduct coordinated cyber operations.
There is no limit on the number of bots that can be “recruited”. See Schmitt ed.,
supra note 25, at 257; Committee on Offensive Information Warfare,
supra note 25, at 89.
254. But see, infra IV.3.b.
255. Unless the state itself launched the cyberattack, a fact that is exceedingly diffi-
cult to prove.
232
Liu
1. Actual knowledge: a State knows of a cyberattack (where a
State organ conducts the cyberattack);
i. Categories 1 and 2
Subjective knowledge is the highest degree of intent. A State either
intended the cyberattack to cause serious injury, or endorsed the
outcome. In judicial proceedings, victim States may struggle to establish
a territorial State’s actual knowledge or connivance. The accused State’s
sovereignty shrouds any evidence of subjective knowledge in secrecy.
It is unthinkable that an accused State would surrender documents
i. Category 3
International jurisprudence supports constructive knowledge triggering
due diligence. In Corfu Channel, the I.C.J’s majority judgment relied
on a series of inferences to conclude that the minefield laying “could
not have been accomplished without the knowledge of Albania.”274 The
majority inferred Albania’s knowledge according to objective standards.
State learns of, or should normally have learned of, the existence of a
serious risk that genocide will be committed.”278 Engaging the obligation
to prevent genocide is tantamount to triggering cyber-diligence if the
State should have reasonably known of the attack’s occurrence. 279
In Asian Agricultural Products, the Tribunal emphasized Sri Lanka
bore a duty to exercise “[an] ‘objective’ standard of vigilance in assessing
the required degree of protection and security . . . for foreign investors.”280
The language of these cases suggest that constructive knowledge should
be established if the territorial State had information that a cyberattack
might occur and failed to conduct further inquiries.
Elsewhere, some commentators argue constructive knowledge
should be presumed when a cyberattack implicates a State’s exclusive
governmental infrastructure.281 The aggrieved State ought to establish
that the attack travelled through the territorial State’s governmental
infrastructure.282 Constructive knowledge is prima facie established
if the infrastructure was under direct State control and used only for
275. Id.; Trapp, supra note 63, at 69; Becker, supra note 202, at 134.
276. Corfu Channel, supra note 44, at 93 (Judge Azevedo); Corfu Channel, supra
note 44, at 72 (Judge Krylov).
277. Brownlie, supra note 252, at 45, 152.
278. Genocide Case, supra note 30, at 221-22 [431].
279. See also Trapp, supra note 63, at 63; Dupuy, supra note 74, at 373-75 paras 12-
16.
280. Asian Agricultural Products Ltd v. Democratic Socialist Republic of Sri Lanka,
Case No ARB/87/3, 4 ICSID Rep. 250, [77], [85](b) (1997).
281. Heinegg, supra note 54, at 17; Pirker, supra note 34, at 205-06.
282. Many states lack the technical expertise to collect and analyse such evidence,
so outsourcing is likely required.
236
Liu
public purposes.283
This approach should be tempered. Indications of government
infrastructure’s involvement in a cyberattack can be deceiving.
First, non-State hackers may compromise a government server.284 A
cyberattack being mounted from government infrastructure does not
in itself establish responsibility in the cyber context.285
Second, cyberattacks are often dressed with “spoofing” (identify
manipulation) techniques. In the Estonian incident, spoofing clouded
ii. Category 4
With reference to Section III.F.3., should a C.D.C. framework be
established, a degree of constructive knowledge should be presumed.
Territorial States would be held to a standard of vigilance in maintaining
their cyber-territory, and constructive knowledge of an ongoing
or imminent attack would be imputed to these States. States would
have less latitude to plead a lack of capacity to discover a particular
cyberattack.
Presuming knowledge would reflect heightened expectations for
State compliance with cyber-diligence obligations.296 The victim State
still bears the burden of proof297 and should establish knowledge
292. Marco Roscini, Evidentiary Issues in International Disputes Related to State Re-
sponsibility for Cyber Operations, 50 Tex. Int’l L. J. 233, 245-48 (2014).
293. Corfu Channel, supra note 44, at 18; Antonopoulos, supra note 256.
294. Pulp Mills, supra note 45, at 71 para. 164.
295. Corfu Channel, supra note 44, at 51 (Judge Winiarski), 65 (Judge Badawin Pa-
sha), 127 (Judge ad hoc Ečer); Tallinn Manual, supra note 25, rule 7 cmt para.
3.
296. Becker, supra note 202, at 135.
297. Pulp Mills, supra note 45, at 71 para. 164; Nicaragua, supra note 43, at 59-
60 para. 101; Markus Benzing, Procedure, Evidentiary Issues, in The Statute
238
Liu
to a clear and convincing standard to discharge their burden in an
international tribunal.
Rep. 2014 (Mar. 31), p. 226, 237 paras 18-20, 255-57 paras 73-82, 283 paras
188-90, 290-93 paras 217-227; The South China Sea Arbitration (The Republic
of Philippines v. The People’s Republic of China), Perm. Ct. Arbitration Case
No. 2013-19, (July 12, 2016), paras 297, 978-83, 1084-1108; Benzing, supra
note 297, at 1268.
305. Id.
306. But see Armed Activities on the Territory of the Congo (Dem. Rep. Congo
v. Uganda), Judgment, I.C.J. Rep. 2005 (Dec. 19), p. 40 para. 62 (hereinafter
“Armed Activities”).
307. Antonopoulos, supra note 256, at 64.
308. Matthew C. Waxman, The Use of Force Against States the Might Have Weapons
of Mass Destruction, 31 Mich. J. Int’l L. 1, 62 (2009).
309. Shabtai Rosenne, The Law and Practice of the International Court
1043 (4th ed., 2006).
310. Durward V. Sandifer, Evidence Before International Tribunals 170
(1975); see also Cheng, supra note 252, at 323-26; Mojitaba Kazazi, Burden
of Proof and Related Issues: A Study on Evidence before Interna-
tional Tribunals 336-37 (1995).
311. Corfu Channel, supra note 44, at 72 (Judge Krylov).
312. Case of Certain Norwegian Loans (Fr. v. Nor.), 1957 I.C.J. Rep. 9, 39 (July
6) (Judge Lauterpacht); Pulp Mills, supra note 45, at 230 paras 25-26 (Judge
240
Liu
“Clear and convincing” should be the standard of proof to establish
knowledge. The applicant ought to produce “sufficiently clear”313
and weighty evidence to meet the standard.314 The applicant could
realistically gather sufficient evidence to establish a reasonable inference
of the respondent’s constructive knowledge.315 The standard also
precludes international tribunals finding violations of international law
based on unconvincing evidence,316 especially given these proceedings
rarely have appeal mechanisms.317
Greenwood).
313. Case Concerning Oil Platforms (Islamic Republic of Iran v U.S.), 2003 I.C.J.
Rep. 168, 200 para. 58 (Nov. 6).
314. Armed Activities, supra note 306, at 205 para. 72, 209 para. 91, 220 para. 136;
Nicaragua, supra note 43, at 24-25 para. 29; Trail Smelter, supra note 45, at
1965.
315. Cheng, supra note 259, at 325.
316. Roscini, supra note 292, at 252-53; Kazazi, supra note 310, at 337; see also
Nicaragua, supra note 43, paras 62, 109.
317. Kazazi, supra note 310, at 337.
318. Id.; Czosseck, supra note 9, at 23.
319. “[W]here the act complained of is only one in a series of similar acts, the repeti-
tion of which [would] raise a presumption in favor of the [authorities’] knowl-
edge and . . . corresponding accountability.” 3 John Bassett Moore, Histo-
ry and Digest of International Arbitrations to which the United
States has been a Party 3030, 3042 (1898) (citing Wipperman case) (empha-
sis added).
241
Liu
Propensity then assists an applicant to overcome a lack of probative
evidence if confronted with an uncooperative territorial State. It also
incentivizes States to secure (at least) their governmental infrastructure.
But the approach does not prejudice States who lack the capacity to
safeguard their governmental infrastructure.320
Questions of a State’s actual or constructive knowledge are
contingent on a judicial forum’s evidentiary standards. Together, they
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
335. Schmitt ed., supra note 25, rule 1 cmt para. 6, rule 5 cmt para. 5; Schmitt &
Watts, supra note 152, at 4-5.
336. See Radziwill, supra note 36, at 81-83.
337. NATO CCDCOE, Tallinn Manual 2.0 Approach to State Responsibility (2015)
available at https://www.youtube.com/watch?v=1o8uuZsPvms (last visited
Apr. 17, 2016).
338. U.N. Charter, art. 2(4), 51; Schmitt ed., supra note 25, rule 11; Yoram Din-
stein, Computer Network Attack and Self-Defense, 76 Int’l L. Stud. 99, 103
(2002); Barkham, supra note 81, at 80; Schmitt, supra note 28, at 914; Albrecht
Randelzhofer & Oliver Dörr, Article 2(4), in The Charter of the United
Nations: A Commentary 208 (Bruno Simma ed., 3rd ed. 2012).
339. Schmitt ed., supra note 25, rule 5 cmt para. 5.
244
Liu
chaos by shutting down air-traffic control, dams or transportation
infrastructure remain hypothetical. Some argue that attacks on critical
national infrastructure (such as water supply and electricity grids) would
likely lead to secondary consequences of physical injury to persons and
objects.340 An attack on one critical network has a “synergistic effect,”341
propagating injury to other connected physical infrastructures.
Such conclusions need to be balanced. The scale and duration
of a cyberattack and the effectiveness of the target State’s response
340. Marco Roscini, Cyber Operations as A Use of Force, in Tsagourias & Buchan
eds, supra note 35, at 246.
341. Dana Shea, Critical Infrastructure: Control Systems and the Ter-
rorist Threat CRS-8 (2003).
342. SCADA systems control networks operating plants and equipment in in-
dustrials such as energy, electricity, transportation and water control. Nat’l
Communications System, Supervisory Control and Data Acquisition
(SCADA) Systems 4 (Technical Information Bulletin 04-1, 2004).
343. Shackleford, supra note 81, at 195; see also Ahmad Kamal, The Law of Cyber-
space: An Invitation to the Table of Negotiations 69 (U.N. Institute of Training
& Res., 2005); Jack Goldsmith, How Cyber Changes the Laws of War, 24 Eur. J.
Int’l L. 129, 133 (2013); Shea, supra note 341, at CRS-8.
344. Electricity Information Sharing and Analysis Center, Analysis of
the Cyber Attack on the Ukrainian Power Grid v-vi (2016), https://ics.
sans.org/mmedia/E-ISAC_SANS_Ukraine_DUC_5.pdf.
345. Terry D. Gill, Non-Intervention in the Cyber Context, in Ziolkowski ed., supra
note 9, at 235; U.N. Institute for Disarmament Res., supra note 24, at 3.
346. Genocide Case, supra note 30, at 202 para. 385.
245
Liu
obligation. Questions of whether a State failed to prevent the injury
emanating from their territory become immaterial. A State may forego
invoking intermediary cyber-diligence breaches if the injury is serious,
preferring to treat it instead as armed force or armed attack so as
to enliven jus ad bellum. Non-State hacktivists rarely (if ever) cause
physical injury. Hackers instead inundate networks with DDOS attacks
or implant malware and extract information.347
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
362. See Roscini, supra note 340, at 247; Committee on Offensive Information War-
fare, supra note 25, at 254.
363. Will Goodman, Cyber Deterrence: Tougher in Theory than in Practice?, 4
Strateg. Stud. Q. 103, 111 (2010); Id. at 40-41.
364. Kamal, supra note 343, at 52.
365. European Convention on Cybercrime, supra note 122, art. 5; The Constitution
and Convention of the International Telecommunication (ITU), 1825 U.N.T.S.
3, entered into force Jan. 1, 2000, art. 39(2); Kerschischnig, supra note 267, at
163.
366. Kamal, supra note 343, at 52.
367. Committee on Offensive Information Warfare, supra note 25, at 80.
368. Lin, supra note 357, at 68; Directive 2004/35/CE of the European Parliament
and the Council on Environmental Liability with Regard to Prevention and
Remedying of Environmental Damage, art. 2(2), 2004 O.J. (L. 143/56).
369. Seabed Mining, Advisory Opinion, supra note 30, at 10, [117].
248
Liu
certain infrastructures could disrupt downstream access to essential
service(s) for a protracted period.370 If predictions of cyberattacks on
health systems or transportation infrastructure materialise, the standard
of cyber-diligence should rise to correspond to the increased risk.
States should be obligated, with reference to the primary infrastructure
affected, to take proportionate action to prevent or reduce secondary
injuries (to the extent possible).371
370. Waxman, supra note 308, at 45; Lin, supra note 357, at 68; Committee on
Offensive Information Warfare, supra note 25, ch. 1.8.3. Legal and Ethical
Findings.
371. Seabed Mining, Advisory Opinion, supra note 30, para. 117; Draft Articles on
Transboundary Harm, supra note 78, at 153-54 art. 3 cmt para. 11.
372. Kamal, supra note 343, at 40-41.
373. Lin, supra note 357, at 63-64.
374. Roscini, supra note 340, at 241.
375. Crawford, supra note 55, at 55; Articles on State Responsibility, supra note 11,
at 34, 36 art. 2 cmt paras 9, 91, 92 art. 31 cmt para. 5.
376. Kathryn Jane Browne, Peacetime Espionage in International Law: From State
Practice to First Principles, ALSA Acad. J. 4, 5 (2016).
377. Differences Between New Zealand and France Concerning the Interpretation
249
Liu
constituting injury “of a moral, political and legal nature.”378 Some
commentators argue that cyber-espionage “can result in harm to
the country at least as severe as a physical attack.”379 Nonetheless,
the legality of peacetime cyber-espionage is highly disputed.380 Data
collection programs including Ghostnet, PRISM and Tempora
continue,381 implicitly tolerated by States, who “will not want to deprive
themselves of this tool.”382 There is no clear answer as to whether cyber-
exploitations constitute “serious injury” for cyber-diligence purposes.
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
385. Goodman, supra note 363; Kamal, supra note 343, at 40-41. A tactic known as
the “malware time-bomb” was used in the Georgia incident, where hacktivists
planted “time-bombs” to cause further damage upon the occurrence of a trig-
ger event.
386. Lin, supra note 357, at 79; Goldsmith, supra note 343, at 131.
387. Schmitt, supra note 56, at 75-76.
388. European Convention on Cybercrime, supra note 122, art. 4; Kamal, supra
note 343, at 52-53.
389. Victor Sabadash, A Latency of Computer Crimes (Computer Crime Res. Ctr,
2004), available at http://www.crime-research.org/articles/sabad03_2004/ (last
visited Sep 1., 2016).
390. Kamal, supra note 343, at 52-53.
391. Radziwill, supra note 36, at 78.
251
Liu
injury).392 But it is difficult to see how defacement and propaganda goes
beyond “visual corruption of public webpages”.393 Defacement may
be considered offensive or even slanderous, depending on the target
State’s political orientation. But unlike “destructive” cyberattacks,
defacement merely causes superficial injuries to a network. Hacktivists
intend to transmit unwanted political messages, not to overthrow
a regime.394 Oppenheim’s International Law notes that due diligence
obligations do not extend to “suppress[ing] criticism of, or propaganda
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
obligation. Situation (2) is less clear: international law does not dictate
States’ domestic resource-allocation.403
In reality, establishing responsibility is not straightforward. To
evade responsibility, an accused State could claim:
1. they exercised their best efforts, yet still failed to achieve a
result in the face of new cyberattack methods;
402. Trapp, supra note 63, at 73; Genocide Case, supra note 30, at 221-22 paras 430-
431; Tehran Hostages, supra note 30, at 31 paras 63-64; Asian Agricultural Prod-
ucts Ltd., supra note 280, para. 85.
403. Trapp, supra note 63, at 73.
404. Becker, supra note 202, at 151-52.
405. Cf. Pulp Mills, supra note 97, at 66-67.
406. See also Philippines v. China, supra note 146, para. 754.
407. Seabed Mining, Advisory Opinion, supra note 70, para. 117.
254
Liu
The 2015 G.G.E. report recommended that the U.N. “consider
initiatives for international dialogue and exchange on ICT security
issues.”408 A C.D.C. which encompasses “U.N. agencies, the private
sector, academia and civil society organisations”409 could facilitate best-
practice exchanges. S.C. Resolution 1377 invited the C.T.C. to promote
counter-terrorism best-practice and prepare model laws.410 A C.D.C.
could do the same, and implicitly define an expected standard of care
for cyber-diligence between member States.
VI. CONCLUSIONS
415. Jason Fritz, How China will Use Cyber Warfare to Leapfrog in Military Compet-
itiveness, 8 Cult. Mandala 28 (2008).
416. Czosseck, supra note 9, at 16.
417. Report of the Sec’y General, Developments in the Field of Information and
Telecommunications in the Context of International Security, 70th sess., item
93, U.N. Doc. A/70/172 (July 22, 2015).
418. Report of the Sec’y General, Developments in the Field of Information and
Telecommunications in the Context of International Security, 71th sess., item
94, U.N. Doc. A/71/172 (July 19, 2016).
419. Cass R. Sunstein, Laws of Fear: Beyond the Precautionary Principle
41-45, 96-97 (2005); Eric Windholz, Testimonial: Public International Law Ca-
reers Guide (2016), available at http://www.monash.edu/law/centres/castan-
centre/careers-guide/testimonials/eric-windholz (last visited Sep. 2, 2016).
420. Report of the Secretary-General of the United Nations, In Larger Freedom: To-
wards Development, Security and Human Rights for All, U.N. Doc. A/59/2005
(2005), p. 25 para. 81.
256
Liu
Governments, in Cass Sunstein’s words, should “take careful steps to
ensure that laws and policies reduce, and do not replicate, the errors to
which fearful people are prone.”421 The same applies for international
law.
This paper assesses cyber-diligence practically, pre-empting how
States may respond to a range of cyberattack outcomes. It advocates a
narrow model of cyber-diligence under international law. Examining
possible analogies, the paper concludes that the model of counter-
258
Liu
Footnotes from table in section III.D.
1. Seabed Mining Advisory Opinion (2011) ITLOS Reports 10, paras 218–19.
2. Id. paras 223–26.
3. Id. para. 218; Pulp Mills [2010] I.C.J. Rep. 14, 58 para. 197.
4. Stephen Corones, Competition Law in Australia para. 1.105 (6th ed.
2014).
5. Independent Committee of Inquiry, Hilmer Report 1993 5 (Nat’l
Competition Pol’y, Report by the Independent Committee of Inquiry, 1993).
259
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
Liu
260