Liu, I. Y. (2017) - State Responsibility and Cyberattacks Defining Due Diligence Obligations.

State Responsibility and Cyberattacks
Defining Due Diligence Obligations
Ian Yuying Liu

Faculty of Law, Monash University
E-mail: ian.liu@hotmail.com
Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks

daily. Information technology-dependent societies increasingly perceive cy-
ber-threats as a destabilising force and citizens inevitably look to the State for
protection. This paper concerns one form of State protection: whether States owe
due diligence obligations in cyberspace under the laws of State responsibility.
Specifically, it re-examines the contents of such an obligation and the circum-
stances which could trigger it in light of cyberattacks’ peculiarities. A straight-
forward replication of due diligence models from international environmental
law or law of the sea is not appropriate. But cyber-diligence should incorporate
certain principles found within both models and channel ultimate responsibil-
ity for securing cyber-infrastructure onto private industry. Counter-terrorism
obligations are the most useful body of law in which to seek an analogy. This
paper argues that a State’s cyber-diligence obligation is triggered, at a minimum,
by: (1) constructive knowledge of a cyberattack, (2) which causes serious injury
to an operating network. These contents and triggers define a cyber-diligence
framework. Public pressure on the State and the market to intensify responses to
transnational cyber-threats will drive the adoption of such principles.
Keywords: Information Technology Law, Non-State Actors, Cyber War, National Se-
curity, Internet Governance.
This paper was initially written in partial fulfilment of my LLB at Monash University.
I wish to thank Professor Douglas Guilfoyle and Kathryn Browne for their insightful
feedback on earlier drafts of the manuscript; and the editorial team at The Indonesian
Journal of International and Comparative Law for their excellent assistance. Any
errors remain my own.
The Indonesian Journal of International & Comparative Law

ISSN: 2338-7602; E-ISSN: 2338-770X
http://www.ijil.org
© 2017 The Institute for Migrant Rights Press
Electronic copy available at: https://ssrn.com/abstract=2907662

Liu
I. CASE STUDY: “PATRIOTIC”
HACKTIVISTS1
In April 2001, a U.S. surveillance plane and a Chinese fighter jet collide
over the South China Sea. The Chinese F-8 crashes, killing its pilot.
Meanwhile, the U.S. plane makes an emergency landing on Hainan Is-
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
land. China detains twenty-four U.S. crew members for eleven days in
a military base.2
A Sino-U.S. “cyber-war” commences.3 U.S. hackers retaliate against
the crew’s detention, defacing Chinese websites with messages including:
“first you China men try and take our plane and crew . . . what is next?
Our home land? Our freedom?”4 In response, “patriotic” Chinese
hacktivists strike back. In a self-branded “cyber-operation defending
our country,”5 hacktivists deface U.S. “.gov” and “.com” websites,6
leaving messages, including: “long live Chinese nationality!”7 Notably,
the hacktivists on both sides were private actors, who rationalized
their actions as legitimate patriotic demonstrations.8 This fact has led
some to speculate that the Chinese government’s information warfare
strategy includes “sponsoring” Chinese hacktivists.9 The terminology
1. Hacktivism: the use of cyberattacks to communicate political messages.

2. Congressional Res. Service, China-U.S. Aircraft Collision of April
2001: Assessments and Policy Implications (2001).
3. Craig S. Smith, May 6-12; The First World Hacker War, N.Y. Times (May 13,
2001), available at http://www.nytimes.com/2001/05/13/weekinreview/may-
6-12-the-first-world-hacker-war.html (last visited Oct. 20, 2016).
4. Xu Wu, Chinese Cyber Nationalism: Evolution, Characteristics and
Implications 55 (2007).
5. Id. at 54.
6. Nat’l Infrastructure Protection Ctr, Cyber Protests:
The Threat to U.S. Information Infrastructure 3 (2001),
available at http://www.au.af.mil/ (last visited Apr. 15, 2016).
7. Xu, supra note 4.
8. Nir Kshetri, The Global Cybercrime Industry 152 (2010).
9. Christian Czosseck, State Actors and their Proxies in Cyberspace, in Peace-
time Regime For State Activities in Cyberspace 22 (Katharina Ziolkows-
ki ed., 2013).
192

Liu
of “sponsoring” implies a form of state responsibility and insinuates
that hacktivism may be attributed to China under the relevant tests in
general international law.10 But attribution is only one possible test of
State responsibility.
What is a State’s responsibility for its own actions or inaction during
these cyberattacks?11 A due diligence obligation in cyberspace12 (“cyber-
diligence”), if established, would offer victim States alternative legal
recourse for a territorial State’s breach of a primary obligation.13 Subject
State Responsibility and Cyberattacks: Defining Due Diligence Obligations

to the contents and triggers of the obligation defined below, China and
the U.S. could invoke one another’s responsibility for failing to prevent
hacktivism within their territories.14 The failure could constitute an
internationally wrongful act, which would then enable either State to
seek reparations.15
The present paper uses hacktivism as its opening case study to
canvass the issue of State responsibility in cyberattacks. We now turn to
examine, starting from first principles, the merits of including a cyber-
diligence obligation as part of the State responsibility framework.
10. See Stefan Talmon, The Responsibility of Outside Powers for Acts of Secessionist
Entities, 58 Int’l & Comp. L. Q. 493 (2009).
11. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, arts.
2(b), G.A. Res 56/83, 53rd Sess., Jan. 28, 2002, U.N. Doc. A/RES/56/83 (Dec.
12, 2001).
12. This paper adopts the definition of cyberspace as: the “[g]lobal domain within
the information environment consisting of the interdependent network of in-
formation technology infrastructures, including the internet, telecommunica-
tions networks, computer systems, and embedded processors and controllers.”
U.S. Dep’t of Defence, Deputy Secretary of Defense Memorandum:
The Definition of Cyberspace (May 12, 2008).
13. The State(s) from which the cyberattacks originate, or whose networks are im-
plicated in the cyberattack (territorial State). The State(s) whose networks are
injured in a cyberattack (victim State).
14. 1 Oppenheim’s International Law: Peace 391-92 (Robert Jennings & Sir
Arthur Watts eds, 9th ed. 2008).
15. Int’l L. Comm., supra note 11, at 38 ch. II. 91 art. 31.
193

Liu
A. Introduction
Cyberspace has “developed from [networks] of academic researchers
into a mainstream communications mechanism.”16 Unfortunately,
enhanced information flow results in the medium’s misuse. States
ought to assume greater responsibility to combat one type of misuse—
cyberattacks. Specifically, States should bear a cyber-diligence obligation
to prevent cyberattacks which originate from their territories. As
sovereigns with powers of enforcement within their territory, States are

in the best position to limit private action. After all, individual hackers
are present within a state’s jurisdiction.
Many States have also implemented cybersecurity strategies to
secure domestic cyber-infrastructure.17 Despite these efforts, global
cybersecurity has not progressed beyond non-binding agreements.18
“Conflicting political agendas . . . espionage [and] competition for global
influence”19 all work against custom crystallizing.20 Cyber-diligence
obligations, if imposed, would represent inter-State cybersecurity
16. Ian Brown, Expert Witness Statement for Big Brother Watch and Others Re:
Large-Scale Internet Surveillance by the U.K. 3 para. 7 (App. No. 58170/13 to
Eur. Ct H. R. (Sept. 27, 2013)), available at https://papers.ssrn.com/sol3/pa-
pers.cfm?abstract_id=2336609 (last visited Jan. 18, 2017).
17. A.B.I. Res., “Global Cybersecurity Index and Cyberwellness Profiles,” (Int’l
Telecommunications Union, Apr. 2015) (hereinafter International Telecommu-
nications Union); e.g., Indian Gov’t Ministry of Electronics & Informa-
tion Technology, National Cyber Security Policy (2013); Dep’t Prime
Minister & Cabinet, Australia’s Cyber Security Strategy (2016);
Gov’t of the U.K., The U.K. Cyber Security Strategy (2011); Executive
Off. of the President of the U.S., The National Strategy to Secure
Cyberspace (2003).
18. See Group of Governmental Experts on Developments in the Field of Informa-
tion and Telecommunications in the Context of International Security, U.N.
GAOR, 17th sess., Agenda Item 93, U.N. Doc A/70/174 (July 22, 2015).
19. James A. Lewis, Confidence-Building and International Agreement in Cyber-
security, in 4 Disarmament Forum: Confronting Cyberconflict 51, 58
(Kerstin Vignard et al. eds, Apr. 2011).
20. Scott J. Shackleford, Scott Russell & Andreas Kuehn, Unpacking the Interna-
tional Law on Cybersecurity Due Diligence: Lessons From the Public and Private
Sectors, 17 Chi. J. Int’l L. 1, 25-34 (2016) (using the U.S.’s, German and Chi-
nese cyber frameworks to illustrate the difficulties of custom crystallising in
cyberspace).
194
Liu
collaboration. Obliging each State to take all available measures to stop
cyberattacks which emanate from their territories would improve the
security of interconnected networks globally.21
Arguably, to date, no cyberattack has risen to the level of a use
of force. Aggrieved States have not invoked State responsibility for
a failure to prevent injurious cyberattacks. Yet, live trackers record
over six million cyberattacks daily,22 and fear of cyber insecurity has
gripped the world.23 States increasingly invest in cyber capabilities to

protect against escalations in cyberattack severity,24 with cyberspace
militarisation widely forecasted.25 Some commentators opine that
cyber weapons are the next “weapon of choice” for terrorism.26 This
kind of event could propel a global uptake and strict application of
cyber-diligence. This paper evaluates the cyber-diligence discourse
21. Division for Treaty Aff., U.N. Off. on Drugs & Crime, Comprehensive
Study on Cybercrime (Draft) 1-22 (Feb. 2013).
22. Norse (2016), http://map.norsecorp.com/; Checkpoint Software Technologies
(2016), available at https://threatmap.checkpoint.com/ThreatPortal/livemap.
html (last visited Mar. 1, 2016)
23. Xu Longdi, China’s Internet Development and Cybersecurity: Policies and Prac-
tices, in Chinese Cybersecurity and Defence 46 (Daniel Ventre ed., 2014);
Kara Scannell & Gina Chon, F.T. Investigation: Cyber Insecurity U.S. Agencies
are Revealed to Lack Basic I.T. Defences, Financial Times (July 15, 2015), avail-
able at https://www.ft.com/content/698deb42-200b-11e5-aa5a-398b2169cf79
(last visited Oct. 21, 2016).
24. U.N. Institute For Disarmament Res., The Cyber Index International
Security Trends and Realities xi, 1, 3, 9-55, 117 (Mar. 2013).
25. E.g., Cyberwar, Law and Ethics for Virtual Conflicts (Jens David Oh-
lin, Kevin Govern & Claire Finkelstein eds, 2015); Tallinn Manual on the
International Law Applicable to Cyber Warfare (Michael N Schmitt
ed., 2013); Committee on Offensive Information Warfare, Technolo-
gy, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cy-
berattack Capabilities (William A. Owens, Kenneth W. Dam & Herbert S.
Lin eds, 2009).
26. Matthew J Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A
Justification for the Use of Active Defenses against States Who Neglect Their Duty
to Prevent, 201 Military. L. Rev. 1, 79 (2009) (citing Richard Garnett & Paul
Clarke, Cyberterrorism: A New Challenge for International Law, in Enforcing
International Law Norms Against Terrorism (Andrea Bianchi & Yasmin
Naqvi eds, 2004)).
195
Liu
in advance of such an event.27 It aims to comprehensively define the
contents and triggers of a cyber-diligence obligation, and offer reasoned
conclusions which States could implement in practice. The literature on
cyberattacks in international law, as of this writing, has not addressed
this subject matter in detail. The present paper’s proposed framework
for cyber-diligence fills this void.
The present paper focusses on a State’s cyber-diligence obligation
with respect to “peacetime” cyberattacks, not rising to the level of

armed force or armed attack.28 These attacks constitute the majority
of cyberattacks orchestrated by private hackers.29 Cybersecurity and
cyberattacks both, ironically, rely on skilled individuals: attackers
exploit, States defend. For international law to intervene, cyberattacks
initiated by non-State actors must be linked to the State.
First, this paper examines the source and character of the primary
rule which may make that link. Due diligence obligations derive from
States’ territorial sovereignty. Cyber-diligence should be classified as
an obligation of conduct. As the International Court of Justice (“I.C.J.”)
states: “the obligation of States [is] to [employ] all means reasonably
available to them”30 to prevent injurious activity. But a State does not
27. Thomas M. Franck, What Happens Now? The United Nations after Iraq, 97 Am.
J. Int. Law. 607, 620 (2003); Ronald Dworkin, A New Philosophy for Interna-
tional Law, 41 Phil. & Pub. Aff. 2, 15 (2013).
28. See U.N. Charter art. 2(4), art. 51; Schmitt ed., Tallinn Manual, supra note
25, 45, 47-8; Michael Schmitt, Computer Network Attack and the Use of Force in
International Law: Thoughts on a Normative Framework, 37 Colum. J. Trans-
nat’l L. 914 (1999); Terry D. Gill & Paul A. L. Ducheine, Anticipatory Self-De-
fense in the Cyber Context, 89 Int’l. L. Studies. 440 (2013); Matthew C. Wax-
man, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36
Yale J. Int’l L. 421, 431 (2011).
29. Committee on Offensive Information Warfare, supra note 25, at 34, 67.
30. Application of Convention on Prevention and Punishment of Crime of Geno-
cide (Bosn. & Herz. v. Serb. & Montenegro), 2007 I.C.J. 43, 91, ¶ 221 (Feb. 26)
(hereinafter Genocide Case); United States Diplomatic and Consular Staff in
Tehran (U.S. v. Iran), 1980 I.C.J. Rep. 3, 32-33 para. 68 (May 24) (hereinafter
Tehran Hostages); Seabed Disputes Chamber of the International Tribunal for
the Law of the Sea, Responsibilities and Obligations of States Sponsoring Per-
sons and Entities with Respect to Activities in the Area (Advisory Opinion)
(2011) I.T.L.O.S. Rep. 10, 41 paras. 110-112; Pulp Mills on the River Uruguay
(Arg. v Ur.), Merits, 2010 I.C.J. Rep. 14, 77 para. 187.
196
Liu
incur responsibility “because the desired result is not achieved.”31
Second, we define the content of States’ cyber-diligence obligations,
which should be distinct from due diligence obligations in environmental
law.32 However, States should implement the polluter pays principle.
Private industry owners, as the proponents of cyber-infrastructure,
should bear a preventive obligation to secure their networks and “self-
police”: monitoring, filtering, and isolating the sources of cyberattacks.
Cyberattacks are often covertly executed and realize instant effects.

Territorial States should be obliged to block ongoing cyberattacks
which cause serious injury and assist with investigations. However,
cooperation duties will likely be of minimal use in cyberattacks.
Current counter-terrorism obligations offer a viable model for cyber-
diligence, given the parallels between the threats they seek to combat.
To that end, a United Nations (“U.N.”) committee should similarly be
established to supervise States’ capacity building efforts.
Third, this paper defines the elements which trigger cyber-
diligence obligations. It argues the obligation should be engaged
when: (1) States have constructive knowledge of the cyberattack; and
(2) the cyberattack produces serious injury. Setting a constructive
knowledge threshold eases the victim State’s evidentiary burden. Clear
and convincing evidence, equitable to both States in litigation, should
satisfy the standard of proof. Serious injury occurs when a cyberattack:
(1) causes physical damage to individuals or objects; or (2) incapacitates
a computer network.
Fourth, this paper considers breach of the cyber-diligence
obligation. An objective standard of due diligence, defined through
best-practice exchanges, could provide a benchmark to measure the
effectiveness of States’ compliance.33 But many States may not be
31. Id.; James Crawford, Second Report on State Responsibility, U.N. Doc. A/
CN.4/498 (Mar. 17, Apr. 1 and 30, July 19, 1999), at 21 para. 57.
32. Shackleford, Russel & Kuehn, supra note 20, at 35-36; cf. Thilo Marauhn, Cus-
tomary Rules of International Environmental Law: Can they Provide Guidance
for Development a Peacetime Regime for Cyberspace?, in Ziolkowski ed., supra
note 9, at 482; Katharina Ziolkowski, General Principles of International Law as
Applicable in Cyberspace, in id. at 167.
33. Brigitte Stern, The Elements of An International Wrongful Act, in The Law of
International Responsibility 208 (James Crawford, Alain Pellet, & Simon
Olleson eds, 2010).
197
Liu
favourable to best-practice exchanges of cyber-technology. States also
have different capabilities to intervene in cyberspace. As a result, their
capacity should limit their responsibility.34
Cyberattacks transcend exclusive territorial control.35 But the threat
does not necessitate a reinvention of international law.36 The proposed
cyber-diligence framework preserves State-centric responsibility in
cyberspace,37 extending post-Westphalian sovereignty to a relatively
Hobbesian environment (which is barely 20 years old).38 The author is

hopeful that the present paper can contribute to international law as a
project of imposing and maintaining “order through words, whether at
sea or on land . . . or indeed in cyberspace.”39
34. Alan Boyle, Liability for Injurious Consequences of Acts Not Prohibited by In-
ternational Law in International Responsibility, in id. at 98; Benedikt Pirker,
Territorial Sovereignty and Integrity and the Challenges of Cyberspace, in id. at
216.
35. Peter Margulies, Sovereignty and Cyber Attacks, 14 Melbourne J. Int’l L. 496,
513 (2013); Chris C. Demchack & Peter Dombrowski, Rise of a Cybered West-
phalian Age, 5 Strategic. Stud. Q. 31, 33 (2011); Uta Kohl, Jurisdiction in
cyberspace, in Research Handbook on International Law and Cyber-
space 30 (Nicholas Tsagourias & Russell Buchan eds, 2015).
36. See Yaroslav Radziwill, Cyberattacks and the Exploitable Imperfec-
tions of International Law 1 (2015).
37. Int’l L. Comm. Stud. Group, Fragmentation of International Law: Difficulties
Arising from the Diversification and Expansion of International Law, in Report
of the Study Group of the International Law Commission (58th Sess,
U.N. Doc. A/CN.4/L/702 (May 1 – June 9, July 3 – Aug. 11, 2006)), at 12 para.
10.
38. Jon Bing, Building Cyberspace: A Brief History of Internet, in Internet Gover-
nance: Infrastructure and Institutions 38 (Lee A. Bygrave & Jon Bing
eds, 2009).
39. James Crawford, International Law as Discipline and Profession, 106 Am. Soc’y
Int’l L. Proc. of the Annual Mtg 472 (2012).
198
Liu
II. THE PRIMARY OBLIGATION OF DUE
DILIGENCE IN STATE RESPONSIBILITY
A. Due Diligence derives from Territorial Sovereignty in

Cyberspace40
Due diligence is a corollary of States’ equal sovereignty.41 States enjoy

plenary jurisdiction to control objects and subjects within their
territory,42 but must also “respect . . . the territorial sovereignty and
political integrity” of others.43 Flowing from States’ reciprocal respect,
the I.C.J. famously articulated the due diligence obligation: “it is every
State’s obligation not to allow knowingly its territory to be used for acts
contrary to the rights of other States.”44 Due diligence, accordingly, has
developed into a general principle of international law.45
40. Int’l L. Comm., supra note 11, at 32 paras 1, 2.

41. “[Territorial] sovereignty involves the exclusive right to display the activities of
a State. This right has as corollary a duty: the obligation to protect within the
territory the rights of other States . . . .” Island of Palmas Case (U.S. v. Neth.), 2
R.I.A.A. 838-39 (Perm. Ct. Arb. 1928).
42. Reparation for Injuries Suffered in the Service of the United Nations, Advisory
Opinion, 1949 I.C.J. Rep. 174, 180 (Apr. 11).
43. Military and Paramilitary Activities in and against Nicaragua (Nicar. v. U.S.),
1986 I.C.J. Rep. 14, 106 para. 202.
44. Corfu Channel Case (U.K. v. Alb.), 1949 I.C.J. Rep. 4, 22. (Apr. 9).
45. Id.; Island of Palmas, supra note 41; Nicaragua, supra note 43, at 14, 84-85
paras. 156-159; Asian Agricultural Products Ltd v Democratic v Socialist Re-
public of Sri Lanka Case, Award, 4 I.C.S.I.D. Rep. 250 para. 47 (1997); Geno-
cide Case, supra note 30, at 220-21 paras. 429-430; SS Lotus (Fr. v Tur.), 1927
P.C.I.J. (ser. A) No 10, at 88-89 (Sep. 7) (Judge Moore); “‘Force majeure’ and
‘fortuitous event’ as circumstances precluding wrongfulness: Survey of State
practice, international judicial decisions and doctrine.” 2 Y.B. Int’l L. Comm.
61, 86-87 para. 73, 93-94 para. 101, 98 para. 118 (1978); Timo Koivurova,
Due Diligence, in Max Planck Encyclopedia of Public International
Law (Rüdiger Wolfrum ed., Feb. 2010), http://opil.ouplaw.com/view/10.1093/
law:epil/9780199231690/law-9780199231690-e1034; Pulp Mills on the River
Uruguay (Arg. v. Uruguay), 2010 I.C.R. Rep. 14, 55-56 para. 101 (Apr. 2010);
Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996
I.C.J. Rep. 226, 242 para. 29 (July, 1996); Trail Smelter Arbitration (U.S. v.
Can.), Award, 3 R.I.A.A. 1905, 1965 (Perm. Ct. Arb. 1941).
199
Liu
Cyber-diligence applies the due diligence obligation to cyberspace
specifically.46 States should exercise cyber-diligence over cyber activity
within their “legal or regulatory control.”47 It is the concept of territorial
sovereignty which underpins all due diligence obligations.48 But what is
“territory” in cyberspace, when the realm has no physical boundaries?
References to cyberspace in this paper adopt a dualistic character:
the virtual domain which facilitates internet communications and the
physical hardware sustaining the domain’s operation.49 Cyberspace, as

an intangible medium, can only exist inside tangible infrastructure.50
It operates via “networks of computers, information systems, and
telecommunication infrastructures”51 located within a State’s territory.52
Within their territory, States enjoy exclusive legal authority over:
(1) cyber-infrastructure; (2) cyber-activity associated with their cyber-
infrastructure, and; (3) persons engaged in cyber activity.53 States
should also bear a primary due diligence obligation to ensure that
their infrastructure is not used to harm the equal sovereignty of other
States.54 A State’s failure to exercise due diligence should constitute an
internationally wrongful act.55
46. Memorandum from the U.S. Dep’t. of Defense, supra note 12.
47. Schmitt ed., supra note 25, rule 1 cmt para. 5.
48. James Crawford, Brownlie’s Principles of Public International Law
204 (8th ed., 2012).
49. See also Duncan Hollis, Re-Thinking the Boundaries of Law in Cyberspace, in
Ohlin, Govern & Finkelstein eds, supra note 25, at 129.
50. Thomas Wingfield, The Law of Information Conflict 17 (2000); U.S.
Dep’t. of Defense, Dictionary of Military and Associated Terms,
http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf.
51. Wingfield, supra note 50.
52. Jack Goldsmith & Tim Wu, Who Controls the Internet? Illusions of a
Borderless World 149-50, 181-83 (2008); Hollis, supra note 49.
54. Wolff Heintschel von Heinegg, Legal Implications of Territorial Sovereignty in
Cyberspace, in Proceedings of the 4th International Conference on
Cyber Conflict 9-10, 15 (Christian Czosseck, Rain Ottis & Katharina Ziol-
kowski eds, 2012); Schmitt ed., supra note 25, rule 5 cmt para. 2.
55. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, su-
pra note 11, 34-35 art. 2 cmt para. 4; James Crawford, State Responsibili-
200
Liu
Some States resist the idea of cyber-diligence obligations, avoiding
additional burdens on their resources and perceived overregulation
of cyberspace.56 Others firewall domestic internet, creating a “closed
national network” averse to foreign influence.57 Cyber-diligence’s
current generality renders it extant in theory, but an afterthought in
practice.
This section identifies the source of cyber-diligence obligations.
But States ought to be informed of what positive actions fulfil the

obligation (Section III) and when these actions should be undertaken
(Section IV). First, this paper explores a characteristic of due diligence
obligations: strong in adaptability but weak in enforcement.
III. CONTENTS OF THE CYBER-

DILIGENCE OBLIGATION
A. Obligation of Conduct versus Obligation of Result58

Due diligence is a “relative, not absolute,”59 obligation of conduct.
States have the discretion to adopt any feasible measures to prevent
cyberattacks injuring other States,60 “without warranting that the
[attacks] will not occur.”61 Breach of the obligation turns on whether
a territorial State took all appropriate measures to protect the victim
ty: The General Part 227 (2013).

56. Michael N. Schmitt, In Defense of Due Diligence in Cyberspace 125 Yale J. L.
Forum 68, 69, 71 (2015); U.N. Institute For Disarmament Res., supra note 24,
at x.
57. Goldsmith & Wu, supra note 52, at 149, 184.
pra note 11, at 56-57, art. 12 cmt paras 11-12.
59. Crawford, supra note 55.
60. Constantin P Economides, Content of the Obligation: Obligations of Means and
Obligations of Result, in Crawford, Pellet & Olleson eds, supra note 33, at 374.
pra note 11, 62 art. 14 cmt (14); Genocide Case, supra note 30, at 43, 221 para.
430.
201
Liu
State from attack.62 Whether the territorial State had “genuine capacity
to avert the threat” in the circumstances informs the assessment.63
Due diligence obligations differ from obligations of result, which
require that a State must prevent the occurrence of a cyberattack,
regardless of the means employed.64 These obligations represent a
State’s absolute guarantee to reach a precise outcome.65 Imposing an
obligation of result in cyber-diligence would likely require States to
adopt burdensome practices. Cybersecurity cannot, as yet, provide

impenetrable network protection. Even the most diligent State, with
the highest capacity, cannot guarantee that their infrastructure will not
be compromised.66
1. Undesirable Uncertainty
Obligations of conduct readily adapt to cyber-diligence. Their flexibility
accords with a disparity between the technical capabilities of different
States.67 The obligation does not levy excessive burdens on developing
States, who typically do not have the capacity to carry out diligence on
the same level as developed States.68 In evolving areas of international
law, obligations of conduct “[integrate] new standards of diligence . . .
into customary international law as they are progressively adopted by
State practice.”69
62. See infra, V.

63. Kimberley Trapp, State Responsibility for International Terrorism
65 (2011).
64. See Göran Lysén, State Responsibility and International Liability of
States for Lawful Acts: A Discussion of Principles 62 (1997).
pra note 11, at 59 art. 14; Crawford, supra note 55, at 226-27; Economides,
supra note 60, at 375.
66. International Telecommunications Union, supra note 17, at 41-513; Pirker, su-
pra note 34, at 208.
67. Economides, supra note 60, at 376; International Telecommunications Union,
supra note 17.
68. International Telecommunications Union, supra note 17, at 41-513.
69. Pierre-Marie Dupuy, Reviewing the Difficulties of Codification: On Ago’s Clas-
sification of Obligations of Means and Obligations of Result in Relation to State
Responsibility, 10 Eur. J. Int’l L. 371, 375 (1999).
202
Liu
However, an obligation of conduct’s elasticity has deficiencies.
First, States enjoy wide latitude in deploying available means to prevent
cyberattacks.70 Second, failing to achieve a specific result in each
instance does not necessarily breach the obligation.71 Obligations of
conduct are indeterminate, “lacking precise stipulation of the means
to achieve the specified result.”72 As long as a State has endeavoured
to realise a result, it will not have violated the primary rule, even if
a cyberattack materialises.73 The obligation “contains an undeniable

degree of subjectivity [which varies] according to the epoch, the
circumstances and the particular [State] in question.”74
Cyber-diligence then becomes an obligation to attempt, without
any precise guidance on how a State should attempt to terminate
cyberattacks. Unless a State has deliberately withheld resources during
a cyberattack or simply “gone through the motions”,75 establishing
breach of the obligation is difficult. Accusing States must prove “the
damage sustained . . . the lack of diligence, and the causal relation
between the two elements.”76
This paper offers a (conditional) solution to overcome the obligation’s
imprecise nature.77 But for the moment, we turn to examine and select
principles within established due diligence models to formulate the
contents of a cyber-diligence framework.
70. Genocide Case, supra note 30, at 221 para. 430; Seabed Mining, Advisory Opin-
ion, (2011) I.T.L.O.S. Rep. 10, para. 110; Crawford, supra note 55, at 229-230.
71. Genocide Case, supra note 30, at 221 para. 430.
72. Economides, supra note 60, at 378; cf. Second Report on State Responsibility,
U.N. Doc. A/CN.4/498, at 21 para. 58.
73. Economides, supra note 60, at 376.
74. Pierre-Marie Dupuy, International Liability of States for Damage Caused by
Transfrontier Pollution, in Legal Aspects of Transfrontier Pollution 372
(Organ. for Econ. Cooperation & Dev. ed., 1977).
75. See U.S. v. Iran, supra note 30, at 12-13 para. 18.
77. See infra, III.F.3.
203
Liu
B. Cyber-Diligence should not adopt the Preventive Principle
We begin our examination with the preventive principle, a significant
element within established due diligence models. The principle
requires States to take preventive measures to reduce the likelihood
of transboundary damage where the risk is known.78 Preventive
cyber-diligence would oblige States to create and maintain a clean
infrastructural environment, in advance of any cyberattacks.79 We will
not address the precautionary principle, which applies in the absence

of scientific certainty that a risk will cause harm.80 It is settled that
cyberattacks could cause serious injury.81
Some commentators82—and a U.N. Working Group83—posit that
States should undertake preventive cyber-diligence.84 The suggestions
include:85
78. International Liability for Injurious Consequences Arising out of Acts not Prohib-
ited by International Law, 2 Y.B. Int’l L. Comm. 148 (2001) (hereinafter Draft
Articles on Transboundary Harm); Crawford, supra note 48, at 356-57.
79. Marauhn, supra note 32, at 475; Ziolkowski, supra note 32, at 185-86.
80. Precautionary measures are inherently part of due diligence obligations in the
marine environment. Responsibilities and Obligations of States ponsoring Per-
sons and Entities with Respect to Activities in the Area (Request for Advisory
Opinion submitted to the Seabed Disputes Chamber), Advisory Opinion, IT-
LOS Reports 2011, at 46 (Feb. 1, 2011); see Cass R. Sunstein, Worst-Case
Scenarios 123 (2007).
81. See infra, IV.B; Schmitt ed., supra note 25, rule 11, 13; Gill & Ducheine, supra
note 28, 444-45; Scott J. Shackleford, From Nuclear War to Net War: Analogis-
ing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192, 218-19
(2009); Jason Barkham, Information Warfare and International Law on the Use
of Force, 34 N.Y.U. J. Int’l L. & Pol. 57-58 (2001); Detlev Wolter, Looking to-
wards the Future of Cyber Security: What Does A Stable Cyber Environment
Look Like? Speech delivered at the UNIDIR Cyber Security Conference 2012
(Geneva, Nov. 8-9, 2012).
82. Ziolkowski, supra note 32; Marauhn, supra note 32; Shackleford, Russel &
Kuehn, supra note 20.
83. Group of Governmental Experts on Developments in the Field of Information
and Telecommunications, U.N. Doc. A/70/174.
84. E.g., Shackleford, Russel & Kuehn, supra note 20, at 35-40.
85. Id. at 35-36; Marauhn, supra note 32, at 482, Ziolkowski, supra note 32, at 167,
169, 186; Eneken Tikk, Kadri Kaska & Liis Vihul, International Cyber
204
Liu
1. Risk assessment before the harm;
2. Consultations on preventive measures with “interested” States;
3. International cybersecurity cooperation, and;86
4. Monitoring suspicious activity.
A number of these procedural steps constitute custom in

international environmental law.87 While these measures could

obviate transboundary harm, they would do little to suppress ongoing
or imminent cyberattacks. For instance, risk assessment identifies
vulnerable networks. States could secure these networks, improve long-
term network health, and make future cyberattacks harder to execute.88
But risk assessment would do little to reduce injuries from a cyberattack
that is underway. Hacktivists can launch attacks from infrastructure
in States with lower cybersecurity,89 diverting the source but not the
effect of the eventual injury.90 Another preventive measure could be to
destroy malicious software (“malware”) capable of being “weaponized”
in a cyberattack. But nearly 200,000 new malware codes are identified
daily.91 The negligible effects of “search and destroy” operations do not
warrant State expenditure.92
Preventive measures are of minimal use when cyberattacks penetrate
computer networks and cause instant injury. The territorial State should
assist instead in the “rescue effort”. They should engage skilled experts
incidents: Legal Considerations 60-61 (2010).

86. See infra, III.B.3.
87. Gerhard Hafner & Isabelle Buffard, Obligations of Prevention and the Precau-
tionary Principle in International Responsibility, in Crawford, Pellet & Olleson
eds, supra note 33, at 524-25
88. Tikk, Kaska & Vihul, supra note 85, at 60-61; Ziolkowski, supra note 32, at
169, 186.
89. See Seung Hyun Kim, Qiu-Hong Wang & Johannes B. Ullrich, A Comparative
Study of Cyberattacks, 55 Comm. Acm. 66, 67-68 (2012).
90. Int’l L. Ass’n, I.L.A. Study Group on Due Diligence in International
Law: First Report 27 (2014), available at http://www.ila-hq.org/en/com-
mittees/study_groups.cfm/cid/1045 (last visited Jun. 15, 2016); Schmitt, supra
note 59, at 74.
91. Katharina Ziolkowski, Introduction, in Ziolkowski ed., supra note 9, at xv.
92. Sunstein, supra note 80, at 126-27.
205
Liu
to alleviate bandwidth limitations, isolate the malicious data causing
actual injury in the victim State, and cooperate in investigations. 93
Below, we revisit the preventive principle’s origins in international
environmental law. We shall demonstrate that a State’s preventive
duties should be confined to the circumstances in which it arose,
transboundary environmental harm.94
C. International Environmental Law

This subsection discusses the rationale behind the preventive principle,
contrasting cyber-threats against environmental threats. It disputes
cyberspace’s status as a global resource and argues that the polluter
pays principle ought to be adopted in cyber-diligence.
Scholarship and jurisprudence on preventive due diligence is most
developed in international environmental law. Commentators draw
an analogy between prevention of “noxious activity” and prevention
of “information pollution.”95 The source of preventive obligations can
be traced back to the “no harm” principle (sic utere tuo ut alienum non
laedas).96 States must not cause significant transboundary damage to
the environment of another State.97 In Trail Smelter, the arbitral tribunal
proclaimed: “no State has the right to use or permit the use of its
territory . . . to cause injury by fumes in or to the territory of another . . .
93. See infra, III.E.

94. Cf. Shackleford, Russel & Kuehn, supra note 20, at 35-36, Marauhn, supra note
32, at 482, Ziolkowski, supra note 32, at 167; Robin Geib & Henning Lahmann,
Freedom and Security in Cyberspace: Shifting the Focus Away from Military Re-
sponses Towards Non-Forcible Countermeasures and Collective Threat-Preven-
tion in Peacetime Regime, in Ziolkowski ed., supra note 9, at 655-56; Heinegg,
95. Shackleford, Russel & Kuehn, supra note 20, at 11; Marauhn supra note 32.
96. Hafner & Buffard, supra note 87, at 524.
97. Declaration of the United Nations Conference on the Human Environment,
U.N. Doc. A/Conf.48/14/Rev. 1 (1973); 11 I.L.M. 1416 (1972), Principle 2; Le-
gality of Nuclear Weapons, supra note 45, at 241 para. 27; Case Concerning
the Gabčíkovo-Nagymaros Project (Hung./Slovk.), 37 I.L.M. 7, 41 [53] (1998)
(hereinafter Gabčíkovo-Nagymaros); Pulp Mills on the River Uruguay (Arg. v.
Uru.), 2010 I.C.J. 14 (Apr. 10), at 77 para. 187 (hereinafter Pulp Mills); Int’l L.
Ass’n, supra note 90, at 26.
206
Liu
when the case is of serious consequence.”98 Derived from this principle,
a territorial State must undertake preventive measures to regulate third
party pollution, in advance of any materialised environmental harm.99
An analogy to environmental law’s preventive approach is enticing.
However, we should not extrapolate obligations that have arisen in the
context of the natural environment100 to suggest that they have become
general principles of international law. The natural environment is a
finite global resource vulnerable to permanent degradation from human

activity.101 International environmental law provides legal protection
against hazardous activities threatening the health of “natural resources
. . . such as air, water, soil, fauna and flora.”102 The preventive principle is
inextricably linked with the “neighbouring State” concept. It regulates
transboundary activity on one State to preserve natural resources
located on a neighbouring State.103
We dispute the preventive principle’s adaptability to cyberspace.
First, cyberspace is not a natural resource, but a product of human
ingenuity. Barriers of distance and time are immaterial to cyberspace’s
virtual existence.104 Territoriality should not be the focus of preventive
regulations in cyberspace: the source of the harm is not limited to the
(geographically) neighbouring State. A cyberattack can be directed
from any distant location connected to the internet and traverse
98. Trail Smelter (U.S. v. Can.), 3 R.I.A.A. 1905, 1950 (Mixed Claims Comm’n
1938, 1941).
99. Pulp Mills, supra note 97, at 79-80 para. 197; Ziolkowski, supra note 32, at 166;
Cedric Rynagaert, Working Session 1 (Study Group on Due Diligence in Inter-
national Law, 2014).
100. Seabed Mining Advisory Opinion, (2011) I.T.L.O.S. Rep. 10, paras 124-150 (cit-
ing Southern Bluefin Tuna Case (Austl. & N.Z. v. Japan), Request for Provi-
sional Measures, Order, Int’l Trib. for the L. of the Sea, Aug. 27, 1999, paras 77,
80; Pulp Mills, supra note 97, at 82-83 para. 204.
101. Gabčíkovo-Nagymaros, supra note 97, at 54 para. 78; Crawford, supra note
48, at 352 para. 1.
102. Convention on Civil Liability for Damage resulting from Activities Danger-
ous to the Environment, art 2(1), C.E.T.S. (No.150), entered into force June 21,
1993.
103. Marauhn, supra note 31, at 483.
104. Id.
207
Liu
numerous States before it harms a network.105
Second, the I.C.J.’s jurisprudential promotion of the preventive
principle aims to secure the environment’s long term sustainability and
avoid disturbance to its ecological balance.106 Environmental damage
cannot easily be undone.107 The harm’s irreversibility underpins
societies’ willingness to adopt aggressive steps to control the perceived
risk.108 This rationale is not transferable to cyberspace. Cyberspace, still
in its infancy, has seemingly infinite resources.109 Permanent cyberspace

degradation is not an issue: servers can be restored after attacks and
security breaches can be repaired. At worst, physical infrastructure
and data destroyed in a cyberattack still would not affect the overall
functioning of the cyberspace domain.
States have no impetus to restrict private actors from “polluting”
cyberspace. The “tragedy of the commons” theory reasons that “we are
locked into a system of fouling our own nest”.110 This is because the
cost of the waste “[a person] discharges into the commons is less than
the cost of purifying [her] wastes.”111 We do not foul the cyberspace
“nest” because no amount of “cyberwaste” can (currently) overload and
inhibit cyberspace functions. The medium fosters independent gain
without fear of endangering the cyberspace platform.
The “polluter pays” principle should be applied to shift the duty
of prevention onto private industry. (This should sit alongside States
criminalising cyber-offences for individual liability.) As Alan Boyle
suggests, “it may be simpler, quicker, and economically more efficient
to make polluters . . . pay rather than States.”112 State regulations should
105. Margulies, supra note 35, at 500.

106. Crawford, supra note 48, at 352 para. 1.
107. Gabčíkovo-Nagymaros, supra note 97, at 77-78 para. 140.
108. Sunstein, supra note 80, at 176-82; Richard Posner, Catastrophe: Risk
and Response 161-62 (2006); Graciela Chichilnisky & Geoffrey Heal, Global
Environmental Risks, 7 J. Econ. Perspect. 65, 67, 80 (1993).
109. Nicholas Tsagourias, The Legal Status of Cyberspace, in Tsagourias & Buchan
eds, supra note 35, at 28.
110. Garrett Hardin, The Tragedy of the Commons, 162 Sci. 1243, 1245 (1968).
111. Id.
112. Boyle, supra note 34.
208
Liu
burden corporations who own the servers and equipment powering
cyberspace (“network owners”) with the corrective responsibility of
ensuring their networks do not facilitate cyberattacks.
1. The “Polluter Pays” Principle Should Be Adopted113

The Rio Declaration defines the polluter pays principle: “national
authorities should endeavour to promote the internalisation of
environmental costs . . . the polluter should, in principle, bear the

costs of pollution.”114 Municipal law and State responsibility should
jointly account for injuries from cyberattacks. States’ cyber-diligence
obligations should include implementing domestic criminal and civil
liability.115 This would harmonize the interests of territorial States (to
avoid full liability) and victim States (to access legal redress at the
domestic and international levels).116
First, States should identify the cyber-polluter(s) to which liability
attaches.117 In environmental law, liability attaches to the operator
causing pollution, but also “on other people specifically identified as
being at the origin of the damage.”118 Civilly liable persons include,
for example, the carrier of dangerous goods contaminating the
environment,119 and the owner of a ship from which polluting oil
escaped.120
113. Recommendation of the Council of May 26, 1972 on Guiding Principles con-
cerning International Economic Aspects of Environmental Policies, Principle
4, C (72) 128 (May 26, 1972).
114. Declaration of the United Nations Conference of the Human Environment,
Principle 16, U.N. Doc. A/Conf.48/14/Rev. 1 (1973); 11 I.L.M. 1416 (1972).
115. See infra, III.D.
116. Int’l L. Comm., International Liability for Injurious Consequences Arising Out
of Acts Not Prohibited by International Law, 58th sess., 2910th mtg, U.N. Doc.
A/CN.4/562 (May 1-June 9, July 3-Aug 9, 2006), at 59 principle 6.
117. Régis Chemain, The “Polluter Pays” Principle, in Crawford, Pellet & Olleson
118. Id.
119. Convention on Civil Liability for Damage Caused during Carriage of Dan-
gerous Goods by Road, Rail and Inland Navigation Vessels, art. 5, opened for
signature Feb. 1, 1990, U.N. Doc. ECE/TRANS/79.
120. International Convention on Civil Liability for Oil Pollution Damage, 9 I.L.M.
209
Liu
In cyberspace, the polluter’s “payment” should expand beyond
monetary compensation (damages or taxes) to individual civil and
criminal liability. The “cyber-polluter” should include both individual
hackers and infrastructure operators. Hackers are responsible for the
causative activity: they deliver cyberattacks which injure a network.
Operators who fail to secure their infrastructure enable cyberattacks
to be directed from, or routed through, their networks. Liability should
extend to both these parties located at the source of the damage.121 This
differs from environmental pollution, where a polluting entity alone is

liable.
Second, State regulation is required to ensure the individual liability
of cyber-polluters. States ought to: (1) enact and enforce national
legislation criminalising cyberattacks;122 and (2) make network owners,
such as Huawei, AT&T, Sprint, and China Telecom responsible for
securing their private infrastructure.123 The owners may outsource
the task to “threat intelligence” companies, such as Norse, who should
continuously monitor network health, deny security breaches in real-
time, and pre-emptively refuse dangerous signals.124 Territorial States’
judicial systems should be amenable to foreign claims against private
industry.125 As with cyber-diligence, “cyber-pollution” should only
engage a polluter’s responsibility when cyberattacks cause serious
injury.126
Directing a degree of primary responsibility onto corporations for
“cyber-pollution”’ incentivises industry to develop best-practice and
minimise liability. Consumer perception of network owners’ cyber
vulnerability could result in reputational and stock-price hits. The
45, entered into force May 30, 1996.

121. See Chemain, supra note 117, at 881.
122. See European Convention on Cybercrime, E.T.S. No 185, entered into force Oct.
29, 2001.
123. See infra, III.D.
124. Norse, supra note 22.
125. Draft Articles on Transboundary Harm, supra note 78, at 163 art. 10 cmt (9)
– (11); Declaration of the United Nations Conference of the Human Environ-
ment, U.N. Doc. A/CONF.48/14/Rev.1, Principle 16.
126. See infra, IV.B.
210
Liu
market itself incentivises network owners to adopt cybersecurity.127
State regulation should reinforce economic deterrence: “unclean”
network owners should not receive government tenders and private
contracts.128
But emphasising private law reparations would have downsides.
First, a private liability regime could dilute State responsibility, moving
questions of cyber-diligence from public international law into private
international law.129 The principle risks “exonerating certain subjects of

international law from their share of responsibility for damage” caused
by cyberattacks.130
Second, civil liability does “not always [guarantee] real compensation
for the damage caused to the environment.”131 A compensation scheme
does not rectify the damage already caused to networks. To counter this
inadequacy, States ought to take positive steps to terminate cyberattacks
that are in progress and mitigate injury as far as possible. They should
also bear cooperation duties to help restore injured networks post-
cyberattack.132
In limited State practice, victim States readily initiate prosecution
under domestic criminal laws after they ascertain a hacker’s identity. In
2007, cyberattacks targeted Estonia’s government websites, e-services,
and information infrastructure after Estonia removed a Soviet-era
memorial.133 Attack methods included denial of service (“DOS”),134
127. Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Poli-
cy Options, in Nat’l Res. Council, Proceedings of a Workshop on De-
terring Cyberattacks: Informing Strategies and Developing Options
for U.S. Policy 8 (2010).
128. See III.B.2.
129. Chemain, supra note 117, at 883.
130. Id. at 882-83.
131. Id. at 879.
132. Although such a duty’s effectiveness is questionable. See infra, III.E.
133. Tikk, Kaska & Vihul, supra note 85, at 15; Project Grey Goose, Phase I
Report (2008), available at https://zh.scribd.com/doc/6967393/Project-Grey-
Goose-Phase-I-Report (last visited Apr. 2, 2016).
134. A denial of service attack uses one computer to flood a target network. The tar-
get network, unable to handle the volume of requests, is forced to shut down.
Tallinn Manual, supra note 25, at 259.
211
Liu
distributed denial of service (“DDOS”),135 defacements, and spam.
After the onslaught, Estonia sought to subject alleged hackers to
computer sabotage crimes in their Penal Code.136 The U.S. has also
prosecuted five Chinese hackers under their criminal code, despite the
hackers being identified as members of the Chinese military,137 and by
extension, carrying out official State organ functions.138
But successful investigation and prosecution requires “dual
criminality” of the cyberattack offence in both the victim State

and the perpetrator’s domicile State.139 If the domicile State has not
criminalized cyberattacks, they are unlikely to extradite their national
for prosecution.140 Gathering sufficient evidence to prosecute would
also be difficult: the victim State needs to access information held by
the domicile State.141 For example, Russia refused to assist Estonia to
identify hackers with Russian IP addresses.142 This occurred despite
their bilateral Mutual Legal Assistance Treaty.143
This subsection demonstrates that the preventive principle
should not be adopted in States’ cyber-diligence. Rather, despite its
shortcomings, States should use the polluter pays principle to pressure
industry to improve cybersecurity. States should implement the
principle into domestic law as part of their cyber-diligence obligation.
Having established that the due diligence obligation in
135. A distributed denial of service attack uses multiple computers to flood a target
network. This is often achieved using botnets. Tallinn Manual, supra note 25,
at 259; Tikk, Kaska & Vihul, supra note 85, at 19, 112.
136. Tikk, Kaska & Vihul, supra note 85, at 26-28, 57-58; see also Radziwill,
137. U.S. v Wang Dong, Criminal No. 14-118 (W.D. Pa., May 1, 2014).
138. James Crawford, First Report on State Responsibility, U.N. Doc. A/CN.4/490
(Apr. 24, May 1, 5, 11 and 26, July 22 and 24, Aug. 12, 1998), 34 para. 158.
139. Division for Treaty Aff., United Nations Office on Drugs and Crime,
Comprehensive Study on Cybercrime (Draft) 60 (February 2013); U.N.
Off. on Drugs & Crime, The Use of the Internet for Terrorist Purpos-
es 134 para. 437 (Sept. 2012).
140. Id.
141. See infra, IV.A.1.
142. Tikk, Kaska & Vihul, supra note 85, at 26-28.
143. See infra, III.E.
212
Liu
environmental law does not fit with cyberspace, we visit another
possible analogy for cyber-diligence: due diligence in the marine
environment. As is taken up later, cyberspace, unlike the high seas,
is not a res communis. An analogy with the marine environment also
impractically extends the scope of cyber-diligence obligations to
nationals outside territorial control. But it provides guidance for an
adequate regulatory framework in cyber-diligence.

D. International Law of the Sea
Part XII of the United Nations Convention on the Law of the Sea
(“UNCLOS”) enshrines States’ due diligence obligations within the
marine environment. Article 192 establishes the general obligation to
“protect and preserve the marine environment.”144 Under Article 193,
States enjoy the sovereign right to exploit natural resources, but must
also take measures to prevent pollution to the marine environment.145
Several differences arise when applying due diligence obligations in
the marine environment compared to cyberspace. First, due diligence
obligations under UNCLOS do not exclusively attach to sovereignty.146
Vessels may operate in areas where States enjoy mutual rights.
Articles 192 and 193 oblige flag States to ensure conservation of living
resources, including in the exclusive economic zones of other States.147
To discharge this obligation, flag States ought to ensure vessels within
their jurisdiction and control “do not undermine [their] obligations
. . . to protect and preserve the marine environment.”148 The arbitral
144. United Nations Convention on the Law of the Sea, art. 192, 1833 U.N.T.S. 3,
entered into force Nov. 16, 1994 (hereinafter “UNCLOS”).
145. Id. art. 193.
146. UNCLOS, supra note 144, art. 58(3), 62(4); Request For An Advisory Opinion
Submitted by the Sub-Regional Fisheries Commission, Advisory Opinion, Int’l
Trib. for the L. of the Sea, Case No 21 (Apr. 2, 2015), paras 120-124 (hereinafter
SRFC Advisory Opinion); The Republic of Philippines v The People’s Republic
of China, Award, Perm. Ct of Arbitration, Case No 2013-19 (July 12, 2016),
[940] (hereinafter Philippines v. China).
147. Philippines v. China, supra note 146, at 944; SRFC Advisory Opinion, supra
note 146, paras 133-36; Southern Bluefin Tuna, supra note 100, para. 70.
148. Philippines v China, supra note 146, para. 944; Pulp Mills, supra note 97, at 79-
80 para. 197.
213
Liu
tribunal in the South China Sea case found China breached their
due diligence obligation.149 China knowingly tolerated “the propeller
chopping method” exploiting living reefs across the Spratlys within
their jurisdiction and control.150 China knew that their flagged vessels
poached endangered species outside of their territorial control, which
“[inflicted] significant damage on rare or fragile ecosystems.”151
Attaching due diligence obligations to the conduct of nationals
would simply not work in the same way in cyberspace. A State’s cyber-
diligence obligation should not extend to terminating a cyberattack
initiated by a national abroad.152 In the sea, a flag vessel’s physical location
is identifiable. A State’s due diligence obligation follows their flag vessels’
chartered territory. In cyberspace, a State exercises authority over
infrastructure within their exclusive control both in their territory and
extraterritorially.153 But a State’s jurisdictional control of their nationals
assumes different characteristics. The operations of transnational non-
State actors (and their data trails) are often borderless, simultaneously
residing in multiple jurisdictions.154
149. Philippines v China, supra note 146, paras 961-66.

150. Id. para. 965.
151. Id. para. 961.
152. Cf. Michael N. Schmitt & Sean Watts, Beyond State-Centrism: International
Law and Non-state Actors in Cyberspace 21 J. Conflict. & Sec. L. 1, 8 (2016).
153. Schmitt ed., supra note 25, rule 2, 5.
154. Id. rule 2 cmt para. 3.
214
Liu

Consider the diagram: a national of State A, physically located in
State B, usurps networks in States C and D to launch attacks. For State
A to terminate the cyberattacks, it needs to access networks in States
C and D (constituting prohibited interference, 155 unless States C and D
grant consent). In this situation, besides a duty of cooperation to assist
a victim State’s investigations of their national, State A should not bear
a cyber-diligence obligation to terminate the cyberattack.
Separately, the International Tribunal for the Law of the Sea’s
(“ITLOS”) Seabed Disputes Advisory Opinion articulates internal
laws and regulations which States ought to adopt to fulfil due diligence
obligations.156 UNCLOS places due diligence obligations on States
who engage contractors for projects within international waters
(sponsoring States).157 Sponsoring States are required to “[adopt] laws
155. E.g., Shanghai Cooperation Org., International Code of Conduct for Informa-
tion Security, art. 2 (3)-(4), U.N. GAOR, 69th sess., Agenda item 91, U.N. Doc.
A/69/723 (Jan. 13, 2015); European Convention on Cybercrime, supra note
122, arts 4-5; Arab Convention on Combating Information Technology Of-
fences, art. 8, League of Arab States General Secretariat, signed and entered into
force Dec. 21, 2010.
156. Seabed Mining Advisory Opinion, supra note 70, paras 212-41; UNCLOS, su-
pra note 144, art. 139 para. 1, Annex III art. 4(4).
157. UNCLOS, supra note 144, art. 139(1), Annex III art. 4(4); Seabed Mining Ad-
215
Liu
and regulations and [take] administrative measures which are, within
the framework of its legal system, reasonably appropriate for securing
compliance by persons under its jurisdiction.”158
The following table distils principles from ITLOS’ advisory
opinion, summarising how they may be applied to cyber-diligence.159
These suggestions should be read in light of the “cyber-polluter pays”
argument.160 The same due diligence principles apply under UNCLOS
and environmental law, demonstrating their uniformity.
visory Opinion, supra note 70, paras 124-50; Southern Bluefin Tuna, supra note
100, para. 77; see infra, III.C. and V.
158. UNCLOS, supra note 144, annex III art. 4(4) (emphasis added).
159. Donald K. Anton, Robert A. Makgill & Cymie R. Payne, Seabed Mining Adviso-
ry Opinion on Responsibility and Liability, 41 Envt’l Pol’y. & L. 60, 64 (2011).
160. See infra, III.C.
216
Liu
Extracted Principles Cyber-Diligence Application

(1) To fulfil due diligence obligations, · Territorial States should: (1)
sponsoring States must enact laws, criminalise cyberattacks causing
regulations, and administrative serious injury in foreign territory
measures enforcing the obligations and; (2) incentivise network owners
of contractors.1 Contractual to secure infrastructure.
arrangements are insufficient.2
“[The obligations] may include · States should:

(2)

[establishing] enforcement o In grants and tenders, prioritise
mechanisms for active supervision corporations with clean “track
of the activities of the sponsored records” or those diligently
contractor.” 3 securing their networks. These
corporations offer a more
attractive product than their less
diligent competitors.4
o Alternatively, stimulate
competition in the network
owners’ market and reduce
barriers to entry into the
domestic market for “clean”
overseas competitors. The new
competitors would encourage
domestic corporations to
improve network security and
heighten industry benchmarks
for cybersecurity.5
o Ensure their judicial apparatus
is available for civil litigation
against the owners of
compromised networks.
o Issue fines and regulatory
warnings to non-compliant
corporations in specific cases.
Domestic laws and regulations · With reference to Section III(C)(3),7
(3)
must be “no less effective than a supervisory committee should
international rules, regulations prescribe a minimum standard
and procedures, primarily [those] of diligence for States to meet in
adopted by the [International acquiring cyber-diligence capacity.
Seabed Authority].”6
217
Liu
These measures depend on the capacity and policy traditions of the
territorial State,161 and favour governmental intervention. Temporary
restrictions on the free market in certain sectors facilitates efficient
pursuit of wider social goals, including cybersecurity.
Cyber-diligence and due diligence obligations from the Law of
the Sea have diverging jurisdictional features. However, the Seabed
Disputes Chamber offers a paradigm against which a State’s domestic
regulatory response can be measured.

International cooperation also boosts cybersecurity. Next, we
canvass the State of international cybersecurity cooperation and
propose a number of initiatives as part of a State’s duty to co-operate.
The difficulties of enforcing cooperative duties in particular cyber-
incidents should not be overlooked.
E. An Assessment of International Cooperation in Cyberspace162

Currently, two trends in cybersecurity cooperation can be observed:
1. States engage in multilateral cooperation efforts within regional
or political alliances.163
2. States implement cybersecurity cooperation between the public
and private sectors,164 who share intelligence and coordinate
161. Seabed Mining, supra note 70, para. 218.

162. See Jost Delbrück, The International Obligation to Cooperate: An Empty Shell or
a Hard Law Principle of International Law?, in 2 Coexistence, Cooperation
and Solidarity: Liber Amicorum Rüdiger Wolfrum 5 (Holger P. Hester-
meyer et al. eds, 2012).
163. E.g., Shanghai Cooperation Org., International Code of Con-
duct for Information Security, U.N. Doc. A/69/723;
ASEAN Regional Forum, Statement by the Ministers of Foreign Affairs on Co-
operation in Ensuring Cyber Security, adopted at the 18th ASEAN Regional
Forum, Phnom Penh, (July 12, 2012); NATO, Strategic Concept for the De-
fence and Security of the Members of the NATO, 11, 16-17, adopted at the
NATO Summit, Lisbon (Nov. 19-20, 2010); Organisation of American
States, OAS Cyber Security Initiative (2015), https://www.sites.oas.org/
cyber/EN/Pages/Documents.aspx.
164. E.g., National Institute of Standards and Technology, Improv-
ing Critical Infrastructure Cybersecurity Executive Order
13636: Preliminary Cybersecurity Framework (2013), http://www.
nist.gov/; Ctr for the Protection of Nat’l Infrastructure, Securi-
218
Liu
data security measures.165
State-to-state exchanges of threat information, expertise, and

technology occur within situation (1).166 As most networks are privately
owned or managed, 167 States coordinate use of the acquired expertise
in situation (2).
Cybersecurity cooperation boosts cybersecurity in the long term,
but does not enforce cooperative duties during and after particular

cyberattacks.168 Political expediency presents an obstacle to cyberattack
cooperation. For example, a bilateral agreement between Russia
and Estonia enshrined “obligations” to transfer evidence, assist in
investigations, and extradite alleged perpetrators of criminal offences.169
In spite of this, Russia refused to assist Estonia’s investigations after
the 2007 cyberattacks. Russia’s interpretation of the treaty excluded
surveillance measures identifying a perpetrator’s physical location.170
A restrictive interpretation conceals, perhaps, a lack of cooperative
will.171 Some States possibly favour a poorly regulated cyberspace.172
States can leverage assistance to gain traction with allies, or refuse
ty Planning (2016), http://www.cpni.gov.uk/Security-Planning/; Euro-

pean Union Agency for Network and Information Security, Eu-
ropean Public-Private Partnership for Resilience (EP3R) (2009)
https://www.enisa.europa.eu/topics/national-cyber-security-strategies; Ger-
man Federal Office for Information Security, IT-Grundschutz (2016), https://
www.bsi.bund.de/EN/Topics/ITGrundschutz/; Shackleford, supra note 20, at
29.
165. See Czosseck, supra note 9, at 17-20; National Institute of Standards and
Technology, supra note 164.
166. International Telecommunications Union, supra note 17, at 34-35.
167. E.g., Cisco, Network Infrastructure, in Cisco Unified CallManager: Ex-
press Solution Reference Network Design Guide 3 (2006).
168. International Telecommunications Union, supra note 17, at 29.
169. Agreement on Legal Assistance and Legal Relations in Civil Family and Criminal
Cases, The Republic of Estonia-Russian Federation, RT II 1993, art. 3, signed
and entered into force Jan. 26, 1993.
170. Tikk, Kaska & Vihul, supra note 85, at 27.
171. Id. at 27-28.
172. Czosseck, supra note 9, at 16.
219
Liu
assistance to gain geopolitical advantages over adversaries. Conversely,
States may not seek or provide assistance for fear of exposing their
cyber vulnerabilities or cyber-technology.173
Cooperative duties nonetheless need to be “clear, useful, and do-
able.”174 To complement current regimes, they ought to immediately
contain a cyberattack. States should commission cybersecurity
experts,175 and:
1. deploy their experts to secure critical (and vulnerable) networks

domestically, reducing the risk of cyberattacks emanating from
their territory; and
2. in the event of an ongoing cyberattack, mobilize these experts
in real-time to instantly upgrade network security.
Experts could be exchanged between contracting agencies within

cooperating States.176 Each State could mobilize experts from multiple
jurisdictions if cyberattacks occurred or if their private sector demanded
increased protection. States with cyber-monitoring capabilities may
warn others, in advance, of increased malicious traffic indicating
imminent cyberattack(s).177 A target State can then boost network
capacity in anticipation. In ongoing cyberattacks, assisting States may
host servers, transfer bandwidth, and eliminate botnet traffic.
But these suggestions remain aspirational. First, duties to co-operate
are obligations of conduct “formulated in a relatively weak way,”178 which
do not drive outcomes. In Southern Bluefin Tuna, a treaty obligation
required parties to “consult, [and] resolve the dispute by negotiation
or other peaceful means of their own choice.”179 The parties were only
173. International Telecommunications Union, supra note 17, at 29; Moore, supra
note 127, at 8.
174. Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Po-
litical Change, 52 Int’l. Org. 887, 895-98 (1998).
179. Southern Bluefin Tuna, supra note 100, at 18-19 para. 57; Southern Bluefin
220
Liu
obliged to continue to seek settlement through negotiation, rather than
coming to an actual settlement.180 A unilateral referral of the dispute
to judicial settlement or arbitration was ineffective.181 Indeed, as the
Estonia-Russia Treaty illustrates, States exercise discretion in their
adherence to a cooperation treaty.182
Second, some commentators stress that States bear a legal obligation
to cooperate in reducing cyber threats, as cyberspace integrity is
relevant to international security.183 Katharina Ziolkowski argues: “the

internet presents another global resource [which is] in the common
interest of the international community.”184 We ought to exercise
caution before suggesting cooperative duties that have arisen within
the natural environment or the seabed185 apply to cyberspace.
Unlike the high seas,186 or outer space,187 cyberspace is not a
“common concern of humankind” (res communis).188 States recognize a
res communis when: (1) exploitation of accumulated resources benefits
each State; and (2) collective governance serves greater utility compared
Tuna (N.Z. v. Japan; Austl. v. Japan), 38 I.L.M. 1624, 1647 (Judge ad hoc Shear-
er).
180. Id. at 18-19 para. 54-57; but see Economides, supra note 60, at 380 note 44.
181. Southern Bluefin Tuna (N.Z. v. Japan; Austl v. Japan), Jurisdiction and Admis-
sibility, Int’l Trib. for the L. of the Sea, Aug. 4, 2000, 39 I.L.M. 1359, at 18-19
para. 57.
182. Delbrück, supra note 162, at 13; Rüdiger Wolfrum, International Law of Coop-
eration, Max Planck Encyclopedia of Public International Law paras
5, 16 (2010), http://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/
law-9780199231690-e1427.
183. Ziolkowski, supra note 32, at 177-78.
184. Id.
185. UNCLOS, supra note 144, art. 136; Wolfrum, supra note 182, para. 27.
186. UNCLOS, supra note 144, art. 87, 89; Hugo Grotius, The Freedom of the
Seas, Or, the Right Which Belongs to the Dutch to Take Part in the
East Indian Trade (New York: Oxford University Press, 1916) (1608).
187. Treaty on Principles Governing the Activities of States in the Exploration and
Use of Outer Space, including the Moon and Other Celestial Bodies, art. 2,
G.A. Res. 2222(XXI), U.N. GAOR, 21st sess., 1499th plen. mtg (Dec. 19, 1966).
188. Tsagourias, supra note 109, at 28. See also Heinegg, supra note 57, at 9-10.
221
Liu
to dividing the space into smaller parts.189 Cyberspace is not a natural,
indivisible asset. Each State is encouraged to invest in cyberspace to
reap economic, political, and social benefits.190
States currently have no incentive to agree on a common regulatory
regime in cyberspace. Doing so would decrease their margin of
appreciation to set cyberspace priorities. Any common interests in
cyberspace fasten on ensuring the platform’s development, so that each
State can advance their private interest. States increasingly “[establish

sovereign control] in the virtual world in the name of security and
economic sustainability.”191
Third, cooperative efforts will likely be limited to agreements
between politically aligned States. The European Union has initiated
best-practice and cyber-intelligence exchanges.192 The U.S. National
Institute of Standards and Technology collaborates with “the U.K.,
Japan, Korea, Estonia, Israel and Germany” to spread best practice in
domestic cybersecurity.193
Perhaps this paper’s assessment of international cooperation
appears overly negative. Initially, the above passages may indicate
international law is epiphenomenal, allowing powerful States to grant
their cooperation at will.194 However, we do not endorse a realist
perspective which refutes the normative value of pacta sunt servanda.195
Our critique questions whether current cooperation regimes are
effective in the face of a particular cyberattack. Expecting obligations of
189. Tsagourias, supra note 109, at 24-25; Hollis, supra note 49, at 135-36.
190. Id.; see infra, III.C.
191. Demchack & Dombrowski, supra note 35, at 32.
192. Joint Communication to the European Parliament, The Council, The European
Economic and Social Committee and the Committee of the Regions, Cyberse-
curity Strategy of the European Union: An Open, Safe and Secure Cyberspace
[2013] JOIN/2013/01 final; Directive of the European Parliament and of the
Council concerning measures to ensure a high common level of network and
information security across the Union, O.J. L. 194/1 (2013).
193. Shackleford, Russell & Kuehn, supra note 20, at 28 note 121.
194. Jack Goldsmith & Eric Posner, The Limits of International Law 13
(2005); Thomas Hobbes, Leviathan 184 (Cambridge University Press, 1996)
(1651).
195. Goldsmith & Posner, supra note 194.
222
Liu
cooperation to bring utopian cybersecurity will inevitably disappoint.
But the value of regional and multilateral cooperation schemes to
improving cybersecurity cannot be ignored.196
As the Estonian incident demonstrates,197 the effectiveness of
multilateral conventions in a cyberattack depends on a signatory’s
willingness to assist under those circumstances. Failure to assist incurs
no enforceable sanction,198 but these conventions could spur domestic
cybersecurity adoption.199 The fact that some States already cooperate

through treaties demonstrates the effect of international law.200 As
James Crawford states, “like good coffee, international law has to be
brewed.”201 The cybersecurity coffee is yet percolating.
Cooperative duties are process-driven, limiting their ability to
achieve outcomes. However, a central consultative body that facilitates
cooperation could spark increases in cyber-diligence capacity. We turn
to counter-terrorism for direction. The next subsection defines the
similarities between cyberattacks and terrorism and argues that cyber-
diligence should resemble Resolution 1373’s counter-terrorism model
of due diligence. Adoption of this model would be conditional on an
event which heightens expectations of States’ compliance with cyber-
diligence obligations.
196. See Martti Koskenniemi, From Apology to Utopia: The Structure of

International Legal Argument 17 (2006).
197. See infra, IV.A.1.
200. James Crawford, Chance Order Change: The Course of Internation-
al Law 36-41 paras. 35–37 (2014).
201. James Crawford, International Law on a Given Day, in International Law as
an Open System: Selected Essays 93 (2002).
223
Liu
F. Prevention of Transnational Terrorism
1. Introduction
International terrorism and cyberattacks share parallels. The definition
of international terrorism has long been disputed.202 We adopt the
definition established in the Security Council’s (“S.C.”) Resolution
1566: terrorism consists of acts “with the purpose to provoke a state
of terror . . . and all [other offences] in the international conventions

and protocols relating to terrorism.”203 A number of these conventions
require a transnational component before an act constitutes terrorism.204
International terrorism and cyberattacks both constitute
transnational threats. A shared ideology or “functional imperatives”
rally members across national boundaries into a transnational group to
execute these threats.205 These groups defy conceptions of the State as a
self-contained unit in international law.206 They flout a State’s supreme
authority in a given territory.207 Due diligence obligations link these
groups to State responsibility and counter their de-territorialized threat
to State-centricity.
202. Convention for the Prevention and Punishment of Terrorism (League Con-
vention 1937), Annex I art. 1(2), LoN Doc. C.94.M.47.1938.V, Int’l Conf. Proc.
on the Repression of Terrorism, Geneva (Nov. 1-16, 1937); International Con-
vention for the Suppression of the Financing of Terrorism, art. 2(1)(b), G.A.
Res. 54/109, U.N. GAOR, 54th sess., 6th plen mtg, U.N. Doc. A/54/109; Inter-
locutory Decision on the Applicable Law: Terrorism, Conspiracy, Homicide,
Perpetration, Cumulative Charging, Special Tribunal for Lebanon, Appeals
Chamber, Case No STL-11-01/1/I/AC/R176bis (Feb. 16, 2011), 87; Thomas
Weatherall, The Status of the Prohibition of Terrorism in International Law:
Recent Developments, 46 Geo. J. Int’l L. 589, 591-597 (2015); Trapp, supra
note 63, at 18-23; Tal Becker, Terrorism and the State: Rethinking the
Rules of State Responsibility 85 (2006); Ben Saul, Defining Terrorism
in International Law (2008).
203. S.C. Res. 1566, U.N. SCOR., 5053rd aaa, U.N. Doc. S/Res/1566 (Oct. 8, 2004).
204. Trapp, supra note 63, at 21.
205. Samuel P. Huntington, Transnational Organisations, 25 World Pol. 334-35,
365 (1973).
206. Id. at 365.
207. Hartmut Behr, Political Territoriality and De-Territorialisation, 39 Area 112,
113-14 (2007).
224
Liu
Behr describes these threats as “real, effective and powerful, [but
not] permanently present and visible. They appear . . . to have gone
to nowhere, when suddenly they reappear at different places.”208 A
terrorist blends into the civilian population before carrying out an act
of violence. A cyberattack’s malicious traffic blends indiscriminately
into the internet exchange before it inflicts injuries.209
2. Al-Qaeda and Anonymous: A Comparison

International law integrates non-State actors into its counter-terrorism
and cyber-diligence frameworks. An analogy between two organisations
harbouring “terrorism” and cyberattacks illustrates the similarities of
both threats.
Al-Qaeda may have the greatest reach of any transnational militant
organisation. Al-Qaeda resembles a decentralized “cultural and social
network”210 without a formal hierarchy.211 Its network spans continents
and comprises of cells, nodes, and guerrilla terrorist groups linked by
a central modus operandi of subverting “Western ideology”.212 Family,
ethnicity and nationality determine: (1) the targets of recruitment
and training and; (2) which groups manage operations in a particular
geographical area.213
Anonymous is a hacktivist movement. It coordinates operations
(“ops”) which retaliate against a specific event or general censorship.
The phenomenon began on the internet forum 4chan, notorious for
internet free speech. Anonymous has become emblematic of cyber-
libertarian values: declaring “information wants to be free.”214 The
group deliberately transgresses what they see as sanitized, mainstream,
208. Id. at 114.

209. Shackleford, supra note 81, at 200.
210. See also Ronald Dworkin, Justice for Hedgehogs 311-14 (2013).
211. Cf. Huntington, supra note 205, at 354-55
212. Vincent-Joël Proulx, Transnational Terrorism and State Account-
ability: A New Theory of Prevention 55 (2012); Robert P. Barnidge Jr.,
Non-State Actors and Terrorism 104 (2008); Rohan Gunaratna, Inside
Al-Qaeda 95-97 (2002).
213. Gunaratna, supra note 212, at 96-97.
214. Luke Goode, Anonymous and the Political Ethos of Hacktivism, 13 Pop’l.
Comm. 78 (2015).
225
Liu
political correctness.215
Like Al-Qaeda, Anonymous has a decentralized command system.
Its “ops” begin by disseminating content on entities or events perceived
as a threat to “free speech”. The movement then explains priorities and
targets, calling “anons” into action, usually to launch DDOS attacks
and deface websites.216 In 2012, “anons” initiated DDOS attacks on
the Polish government website, taking it offline. “Operation Anti-
ACTA” responded to the Polish Government signing a multilateral

agreement to reduce copyright violation.217 Anonymous proclaimed
that the agreement “[enslaves] the internet.”218 While the government
website was down, Polish politicians opposed to the agreement wore
Guy Fawkes masks (the symbol of the Anonymous movement) in
Parliament.219
Private actors domiciled across different States accomplish Al-
Qaeda and Anonymous’ “successes”. They are ideological movements,
without a visible hierarchy, and challenge the effectiveness of direct
attribution to secure State accountability for private actions. Following
the September 11, 2001 attacks (“9/11”), the international community
has developed a renewed model of due diligence in counter-terrorism.
Given the parallels between terrorism and cyberattacks, the post-9/11
counter-terrorism model would be the most useful law-by-analogy
to apply. The focus should be to improve capacity for cyber-diligence
across all 191 U.N. member States.
215. D.C. Elliot, Anonymous Rising, 36 LiNQ 96-97 (2009); Anonymous, Anon-
ymous Official (2016), available at https://www.youtube.com/user/Anony-
mousWorldvoce/videos (last visited Jun. 18, 2016).
216. Brian B. Kelly, Investing in a Centralised Cybersecurity Infrastructure: Why
“Hacktivism” Can and Should Influence Cybersecurity Reform 92 Buff. U. L.
Rev. 1663, 1668 (2012).
217. Gabriella Coleman, Beacons of Freedom, 41 Ind. Censor’s. 62-63 (2012).
218. Anonymous, Anonymous to Polish Government, This is Your Last Chance
(2012), available at https://www.youtube.com/watch?v=T6-XSQnPeQQ (last
visited Jun. 18, 2016).
219. Coleman, supra note 217.
226
Liu
3. Incorporating the Counter-Terrorism Model of Due Diligence
States bear an obligation to prevent the terrorist conduct of non-State
actors. The obligation existed within custom and conventions well
before 9/11.220 However, this paper focusses on the counter-terrorism
standard of due diligence established within Resolution 1373.
In handing down Resolution 1373, the S.C. exercised its Chapter
VII powers in a legislative fashion for the first time, “[imposing]
universally binding obligations without temporal or geographic

limitations.”221 States must: “(a) refrain from providing any form of
support . . . to entities or persons involved in terrorist acts; (b) take
the necessary steps to prevent the commission of terrorist acts; and (c)
deny safe haven to those who finance, plan, support or commit terrorist
acts.”222 The Resolution also required States to cooperate in “criminal
investigations or criminal proceedings” related to terrorist acts.223
Resolution 1373 clearly intensified States’ counter-terrorism
obligations.224 States are obliged to: (1) prevent terrorism with best
efforts (a positive obligation); and (2) refrain from acquiescing to
terrorism (a negative obligation).225 These (U.S. initiated) obligations
present all “terrorism” as “an absolute threat” to international peace and
security,226 which demand unlimited counter-terrorism measures.227
220. Declaration on Principles of International Law concerning Friendly Relations

and Cooperation among States in accordance with the Charter of the United Na-
tions, G.A. Res. 2625 (XXV), U.N. GAOR, 6th comm., 25th sess., Supp. No. 28,
U.N. Doc.. A/8082 (1970).
221. Becker, supra note 202, at 122.
222. S.C. Res. 1373, para. (2) (a)-(e), U.N. SCOR, 56th sess., 4385th mtg, U.N. Doc.
S/RES/1373 (Sept. 28, 2001) (hereinafter “Resolution 1373”).
223. Id. para. 2(f).
224. Becker, supra note 202, at 122-25; Barnidge Jr., supra note 212, at 132; Ce-
cilia Bailliet, Security: A Multidisciplinary Normative Analysis 176
(2009); Proulx, supra note 212, at 54, 84; Trapp, supra note 63, at 76; Eric
Rosand, Security Council Resolution 1373, The Counter-Terrorism Committee,
and the Fight Against Terrorism, 97 Am. J. Int. Law. 333, 334 (2003).
225. Becker, supra note 202, at 131-32; Trapp, supra note 63, at 80-82.
226. See also S.C. Res. 1368, U.N. SCOR., 4370th mtg, U.N. DOC. S/RES/1368
(Sept. 12, 2001).
227. Saul, supra note 202, at 21; Bardo Fassbender, The U.N. Security Council and
227
Liu
Resolution 1373 established the Counter-Terrorism Committee
(“C.T.C.”) and required “all States to report to the Committee . . . on the
steps they have taken to implement this resolution.”228
The C.T.C. initiated a transnational “capacity building blitz”.229 The
S.C, should similarly establish a Cyber-Diligence Committee (“C.D.C.”).
First, a qualification: the C.T.C. is a by-product of heightened counter-
terrorism obligations. Currently, the gravity of the cyber-threat is not
perceived to be on the same level as international terrorism. A similar

level of prevention is not yet legally required. My recommendations,
made by analogy, remain academic, and are best preserved for when
an event catalyses urgent, transnational responses to combating
cyberattacks.
i. Replicating the Counter-Terrorism Committee’s Central Supervision

Resolution 1373’s operative paragraph 6 has been remarkably successful:
all 191 U.N. member States have reported on their counter-terrorism
measures.230 The C.T.C. is a consultative body. It appoints experts to
review reports and provides methods for States to acquire counter-
terrorism capacity. The Committee maintains a directory of available
assistance to remedy States’ compliance deficiencies,231 and does not
enforce sanctions on those who “fail” to comply with Resolution 1373’s
obligations. It dispassionately tackles a politically charged area and
reduces the available terrain for terrorist action and recruitment.
The U.N. General Assembly has established the Group of
Governmental Experts in Information Security (“G.G.E.”), signalling
an intention to centralise cybersecurity efforts.232 The Group outlines
International Terrorism, in Bianchi & Naqvi eds, supra note 26, at 83-92; see
also Sunstein, supra note 85, at 123.
228. Resolution 1373, supra note 222, para. 6.
230. Curtis A. Ward, Building Capacity to Combat International Terrorism: The Role
of the United Nations Security Council, 8 J. Conflict & Sec. L. 289, 299 (2003);
Rosand, supra note 224, at 335.
231. Ward, supra note 230, at 301-02; Becker, supra note 202, at 127.
232. Developments in the Field of Information and Telecommunications in the Con-
text of International Security, G.A. Res. 68/243, U.N. GAOR, 68th sess., 72nd
plen. mtg, U.N. Doc. A/Res/68/243 (Dec. 27, 2013).
228
Liu
that: “States . . . should seek to ensure that their territory is not used
by non-State actors to commit [internationally wrongful acts] using
ICTs.”233 As a result, 25 States have tabled reports on their internal
cybersecurity policies.234
The U.N. should go beyond inviting open-ended cybersecurity
reports and establish a C.D.C. to regulate international capacity
building efforts for cyber-diligence. The C.D.C’s overall goal should be
to assist (particularly developing) States building capacity to prevent

cyberattacks. A gradual improvement in capacity throughout all 191
U.N. member States could decrease the frequency of cyberattacks,
although this will take time, and requires ample financial resources.235
The C.D.C’s specific functions should resemble those of the C.T.C.:
appoint experts to advise States on cyber-diligence compliance,236
coordinate assistance between donors and donees,237 and elicit
compulsory written reports on States’ capacity building measures.
A C.D.C. reduces the discretion of States to determine appropriate
measures for cyber-diligence. Through reviews, the C.D.C. should
implicitly set a due diligence standard for States to meet in acquiring
capacity. A C.D.C. should stress the relative nature of cyber-diligence
and not stretch the obligation into one of absolute prevention.238 (It
should centralize responsibility for co-ordinating cyber-diligence
efforts, but preserve due diligence as an obligation of conduct.)

and Telecommunications, U.N. Doc. A/70/174., 28(e); ICTs: Information and
Communications Technologies, an amorphous term to describe technologies
(including computers, network software, hardware, and cellular phones) used
to communicate through computer networks.
234. Developments in the Field of Information and Telecommunications in the Con-
text of International Security: Report of the Secretary General, G.A. Res. 71/172,
U.N. GAOR, 70th sess., C.3 plen. mtg, U.N. Doc. A/71/172 (July 19, 2016); De-
velopments in the field of Information and Telecommunications in the Context of
International Security: Report of the Secretary General, G.A. Res. 70/172, U.N.
GAOR, 70th sess., C.3 plen. mtg, U.N. Doc. A/70/172 (July 22, 2016).
235. Rosand, supra note 224, at 338-41.
236. This may require States to report on industry’s preventive measures to securing
networks ahead of any cyberattacks.
237. Rosand, supra note 224, at 338.
238. Proulx, supra note 212, at 79; Becker, supra note 202, at 145.
229
Liu
However, a capacity-building focus has limitations. It risks creating
a disparity between States’ reported capacity and their actual exercise
of that capacity.239 Unresolved tensions include:
1. whether the C.D.C. should impose effective enforcement
mechanisms, or respect State decisions on internal social,
economic, and political matters;240 and
2. how the C.D.C. should determine which States: (i) do not

have a genuine capacity to acquire or execute cyber-diligence
(unable but willing), and; which States (ii) have the capacity
(in reality) to exercise cyber-diligence, but decline to do so
(able but unwilling).241
In the counter-terrorism context, Tal Becker proposes that due

diligence standards should apply to a State:
1. acquiring the (legal, administrative, and resource) capacity
to meet their due diligence obligations, and;
2. “[employing] its capabilities with due diligence”.242
Becker’s proposed standards should be incorporated into States’

cyber-diligence obligations. The C.D.C. should supervise States’
compliance with limb (1). States who fail to notify the C.D.C. of
their capacity deficits should be disentitled from pleading a lack of
capacity if a subsequent cyberattack implicates their networks.243
This approach limits the responsibility of unable but willing States for
a particular cyberattack, provided they have fulfilled limb (1) to the
extent of their capacity. Other domestic exigencies may militate against

240. U.N. Charter art. 2(7).
241. Becker, supra note 202, at 128; Barnidge Jr., supra note 212, at 140-41; see
also Trapp, supra note 63, at 70-80.
242. Becker, supra note 202, at 144-145; Proulx, supra note 212, at 17.
230
Liu
a State’s exercise of cyber-diligence capabilities.244 If so, a State should
not be held in violation of limb (2), taking into account the particular
circumstances at the time of the cyberattack.
If able but unwilling States simply ignore limb (2), establishing a
failure to exercise cyber-diligence would be relatively straightforward.
However, difficulties arise where able but unwilling States exercise
cyber-diligence “half-heartedly”. For instance, a State could neutralise
a third of the total botnets emanating from their territory (when they

have the capacity to terminate the entire cyberattack).245 To establish
violation, the victim State ought to prove that the territorial State did
not employ their full capacity to prevent the cyberattack.246
There is no “quick fix” to these tensions. Nonetheless, a C.D.C. should
introduce an internationally calibrated strategy to capacity building
in cyber-diligence. Far from being merely theoretical, 159 States have
received counter-terrorism assistance as a result of the C.T.C.247 A
C.D.C. realises the UN’s role of equipping States with the capacity for
cyber-diligence,248 but not overstepping its intergovernmental character
to intervene in States’ actual exercise of cyber-diligence.249
This section argues that the contents of a State’s cyber-diligence
obligation should include: (1) the “cyber-polluter pays” principle; (2)
implementing regulations for industry to secure infrastructure, and;
(3) capacity-building via consultation with the C.D.C. But States ought
to know what circumstances enliven their obligation to fulfil these
contents. The following section considers the two key triggers of cyber-
diligence obligations: knowledge and injury.

245. Barnidge Jr., supra note 219, at 140-41; Becker, supra note 202, at 151.
246. See infra, III.A.
247. Ward, supra note 230, at 302-03.
248. See Fassbender, supra note 227, at 84.
249. See China Miévelle, Between Equal Rights: A Marxist Theory of In-
ternational Law 151 (2005).
231
Liu
IV. TRIGGERING THE DUE DILIGENCE
OBLIGATION IN CYBERSPACE
A. Does Actual or Constructive Knowledge Trigger Cyber-Diligence?

According to Hugo Grotius, a sovereign’s responsibility for their
subjects’ actions consists of “forbearance” and “protection shewn to
transgressions.”250 The sovereign must: (1) know of the transgression

and; (2) fail to prevent or punish the delinquency.
Knowledge remains a pre-requisite of due diligence under modern
State responsibility.251 States can only interdict a cyberattack if they
know of it.252 Herein lies the problem. Cyberattacks are often carried
out inconspicuously via “zombified” botnets which cause instant
injury.253 There is (usually) no time difference between an attack’s
initiation and conclusion.254 A State can only possess actual knowledge
of a cyberattack after the attack realises injuries.255
This paper proposes four categories of knowledge to trigger cyber-
diligence:
250. Hugo Grotius, De Jure Belli ac Pacis, Book II ch. XXI para. II (Nabu Press,
2011) (1625).
251. Jan Hessbruegge, The Historical Development of the Doctrines of Attribution
and Due Diligence in International Law, 36 N.Y.U. J. Int’l L. & Pol. 265, 274
(2004); Articles on State Responsibility, supra note 11, at 34-35 art. 2 cmt para.
3.
252. Martii Koskenniemi, Doctrines of State Responsibility in International Respon-
sibility, in Crawford, Pellet & Olleson eds, supra note 33, at 50; Ian Brownlie,
System of the Law of Nations: State Responsibility—Part 1 45 (1983);
Bin Cheng, General Principles of Law as Applied by International
Courts and Tribunals 225-26 (1994).
253. A botnet is “a network of compromised computers.” “The bots” are remote-
ly controlled by the “botherder” and conduct coordinated cyber operations.
There is no limit on the number of bots that can be “recruited”. See Schmitt ed.,
supra note 25, at 257; Committee on Offensive Information Warfare,
254. But see, infra IV.3.b.
255. Unless the state itself launched the cyberattack, a fact that is exceedingly diffi-
cult to prove.
232
Liu
1. Actual knowledge: a State knows of a cyberattack (where a
State organ conducts the cyberattack);
2. Connivance: a State wilfully shuts their eyes to the obvious

occurrence of a cyberattack (for example, after detecting the
cyberattack or being notified of it);256
3. Objective evidence leads to a logical conclusion that:

• a State ought to have known of a cyberattack, or;
• a State had information on a cyberattack, and was obliged to
undertake further inquiries, but failed to do so;
4. In the event a C.D.C. is adopted, States bear a heightened

duty of vigilance to identify and eliminate threats within
their territory.257 Constructive knowledge and an obligation
to undertake further inquiries are built into this duty.
Categories (1) – (2) constitute subjective knowledge, while

categories (3) – (4) amount to constructive (objective) knowledge.
First, we demonstrate that all four categories should suffice to trigger
cyber-diligence. Second, we suggest an appropriate standard of proof
to establish a territorial State’s knowledge before an international court
or tribunal (“international tribunal”).
1. Subjective Knowledge is Difficult to Establish
i. Categories 1 and 2
Subjective knowledge is the highest degree of intent. A State either
intended the cyberattack to cause serious injury, or endorsed the
outcome. In judicial proceedings, victim States may struggle to establish
a territorial State’s actual knowledge or connivance. The accused State’s
sovereignty shrouds any evidence of subjective knowledge in secrecy.
It is unthinkable that an accused State would surrender documents
256. Constantine Antonopoulos, State Responsibility in Cyberspace, in Tsagourias &

Buchan eds, supra note 35, at 69.
257. Brownlie, supra note 252, at 45, 152-53; Corfu Channel (U.K. v. Alb.), 1949
I.C.J. Rep. 4, para. 85 (Apr. 9) (Judge Azevedo).
233
Liu
revealing internal decisions,258 especially given the lack of discovery
procedures in State-on-State litigation.
Some commentators posit that knowledge only arises when victim
States notify territorial States of cyberattacks.259 In Tehran Hostages, the
I.C.J. relied on notification to infer Iran’s actual knowledge of militant
raids. Iran was “fully aware . . . of the urgent need for action,”260 given
“repeated calls for help” to the Iranian Foreign Ministry.261 Iran’s
inaction was “due to more than mere negligence or lack of appropriate

means.”262
However, victim States rarely notify territorial States of a cyberattack.
Notification consumes time, does little to reduce injury, and tarnishes
inter-State relations. Instead, a State will likely devote their resources
to withstanding a cyberattack. In the Estonian incident, botnet
infiltrations implicated computers in 178 countries.263 Estonia did
not notify one territorial State. Instead, Estonia increased bandwidth
capacity (so networks could handle increased traffic), filtered malicious
transmissions, and engaged U.S. and N.A.T.O. assistance to terminate
sources of the attack.264 Some territorial States voluntarily neutralized
sources of attacks.265
In 2008, Georgia and Russia engaged in armed conflict over the
South Ossetia region. Georgia suffered concurrent cyberattacks on
their governmental, commercial and media networks, (supposedly)
coordinated via Russian infrastructure.266 Georgia, a “cyber-locked”
State, relied on neighbouring States’ cyber infrastructure to facilitate
258. Tribunals have questioned the veracity of leaked documents. Prosecutor v.

Ayyash, Case No STL-11-01/1/TC, 11-12 para. 40 (Special Trib. for Lebanon,
Trial Chamber, Feb. 1, 2012) (hereinafter “Ayyash”).
259. Antonopoulos, supra note 256.
260. Tehran Hostagesm supra note 33, at 32-33 para. 68.
261. Id. at 12-13 paras 17-18, 19, paras 35, 31 para. 63.
262. Id. at 31 para. 63.
264. Id. at 24.
265. Id.
266. Id. at 75.
234
Liu
their internal traffic.267 The primary channel for Georgia’s internet
connectivity flowed through Russia.268 Georgia did not notify Russia
of the cyberattacks, instead relocating important servers to the U.S.269
Google’s secure servers temporarily hosted a news portal,270 and NATO
also secured Georgian networks.271
If only notification could enliven knowledge, then no cyber-
diligence could ever be triggered in incidents like the cyberattacks on
Estonia and Georgia. Victim States mitigate loss and boost defences

when a cyberattack begins. Politically allied States disable attack
sources and offer relief networks.272 Victim States do not benefit from
notification.
The knowledge threshold to trigger cyber-diligence should be
lowered. Kimberley Trapp argues (in the counter-terrorism context):
“requiring proof of subjective knowledge would effectively act as a bar
to any finding of responsibility for a failure to prevent.”273 A territorial
State’s cyber-diligence obligation should be triggered if they “ought to
have known” of a cyberattack.
2. Constructive Knowledge Should Trigger Cyber-Diligence Obligations
i. Category 3
International jurisprudence supports constructive knowledge triggering
due diligence. In Corfu Channel, the I.C.J’s majority judgment relied
on a series of inferences to conclude that the minefield laying “could
not have been accomplished without the knowledge of Albania.”274 The
majority inferred Albania’s knowledge according to objective standards.
267. George Kerschischnig, Cyberthreats and International Law 66

(2012).
268. Id.
269. Id.
270. Id. at 65-66; Tikk, Kaska & Vihul, supra note 85, at 77.
271. Liina Areng, International Cyber Crisis Management and Conflict Resolution
Mechanisms, in Ziolkowski ed., supra note 9, at 577.
274. Corfu Channel, supra note 44, at 19-20.
235
Liu
The U.K. was not required to prove Albania knew (subjectively) of the
mines’ presence.275 Notably, two dissentients (Judge Azevedo and Judge
Krylov) held Albania was under a continuous duty to inform itself of
reasonably foreseeable threats in its territory,276 or, as Ian Brownlie
argues, “[to] take reasonable care to discover activities of trespassers.”277
In the Bosnian Genocide case, the I.C.J. found that a State’s obligation
to prevent the occurrence of genocide is engaged “at the instant that the
State learns of, or should normally have learned of, the existence of a
serious risk that genocide will be committed.”278 Engaging the obligation
to prevent genocide is tantamount to triggering cyber-diligence if the
State should have reasonably known of the attack’s occurrence. 279
In Asian Agricultural Products, the Tribunal emphasized Sri Lanka
bore a duty to exercise “[an] ‘objective’ standard of vigilance in assessing
the required degree of protection and security . . . for foreign investors.”280
The language of these cases suggest that constructive knowledge should
be established if the territorial State had information that a cyberattack
might occur and failed to conduct further inquiries.
Elsewhere, some commentators argue constructive knowledge
should be presumed when a cyberattack implicates a State’s exclusive
governmental infrastructure.281 The aggrieved State ought to establish
that the attack travelled through the territorial State’s governmental
infrastructure.282 Constructive knowledge is prima facie established
if the infrastructure was under direct State control and used only for
275. Id.; Trapp, supra note 63, at 69; Becker, supra note 202, at 134.
276. Corfu Channel, supra note 44, at 93 (Judge Azevedo); Corfu Channel, supra
note 44, at 72 (Judge Krylov).
277. Brownlie, supra note 252, at 45, 152.
278. Genocide Case, supra note 30, at 221-22 [431].
279. See also Trapp, supra note 63, at 63; Dupuy, supra note 74, at 373-75 paras 12-
16.
280. Asian Agricultural Products Ltd v. Democratic Socialist Republic of Sri Lanka,
Case No ARB/87/3, 4 ICSID Rep. 250, [77], [85](b) (1997).
281. Heinegg, supra note 54, at 17; Pirker, supra note 34, at 205-06.
282. Many states lack the technical expertise to collect and analyse such evidence,
so outsourcing is likely required.
236
Liu
public purposes.283
This approach should be tempered. Indications of government
infrastructure’s involvement in a cyberattack can be deceiving.
First, non-State hackers may compromise a government server.284 A
cyberattack being mounted from government infrastructure does not
in itself establish responsibility in the cyber context.285
Second, cyberattacks are often dressed with “spoofing” (identify
manipulation) techniques. In the Estonian incident, spoofing clouded

evidence which incriminated Moscow’s exclusive infrastructure:
unknown perpetrators could have adopted the veil of a Moscow
government computer.286 Often, “onion routing” techniques are used to
conceal perpetrators’ identity.287 The majority of cyberattacks use such
masquerading tactics.288 Even if network logs suggest a cyberattack
exploited government infrastructure, the victim State should still be
bound to adduce evidence to dismiss spoofing concerns.
Some commentators stretch the presumption of constructive
knowledge further. They advocate a reverse presumptio juris whenever
a cyberattack is associated with government infrastructure,289 or when
“injurious cyber activity can be traced to the territory of a single
State.”290 International tribunals would shift the burden of proof onto
the territorial State, who must disprove their presumed constructive
knowledge.291
283. Heinegg, supra note 54, at 17.

284. Id.; Tallinn Manual, supra note 25, rule 7 cmt para. 4; Pirker, supra note 34, at
117.
285. Tallinn Manual supra note 25, rule 7.
286. Tikk, Kaska & Vihul, supra note 85, at 19, 23.
287. Onion routing distributes signals through multiple networks. The data packets
then “take a random pathway through several relays . . . so no observer at any
single point can tell where the data came from or where it’s going.” Tor, Over-
view (2016), available at https://tor.eff.org/about/overview.html.en (last visited
Aug. 18, 2016).
288. Cf. Pirker, supra note 34, at 208.
289. Daniel J Ryan et al., International Cyberlaw: A Normative Approach, 42 Geo. J.
Int’l L. 1161, 1185 (2011).
290. Antonopoulos, supra note 256, at 64.
291. Ryan et al., supra note 289.
237
Liu
Reversal of the burden of proof conflicts with I.C.J. jurisprudence.292
In Corfu Channel, the I.C.J. did not infer Albania’s constructive
knowledge of injurious activity purely based on their exclusive
territorial control. Territorial control does not “[shift] the burden of
proof . . . in relation to unlawful acts perpetrated therein.”293 In Pulp
Mills, the I.C.J. stated “a preventive approach . . . does not [operate]
as a reversal of the burden of proof.”294 It is not for the territorial State
to prove its diligence. State control over governmental networks only
gives rise to “abstract and immaterial knowledge” of a cyberattack,

insufficient to presume State responsibility.295
But victim States may use the accused State’s control over
government infrastructure as evidence. Section IV.A.3. explains how a
pattern of such evidence should establish constructive knowledge. But
first, we examine how constructive knowledge would operate under
category 4.
ii. Category 4
With reference to Section III.F.3., should a C.D.C. framework be
established, a degree of constructive knowledge should be presumed.
Territorial States would be held to a standard of vigilance in maintaining
their cyber-territory, and constructive knowledge of an ongoing
or imminent attack would be imputed to these States. States would
have less latitude to plead a lack of capacity to discover a particular
cyberattack.
Presuming knowledge would reflect heightened expectations for
State compliance with cyber-diligence obligations.296 The victim State
still bears the burden of proof297 and should establish knowledge
292. Marco Roscini, Evidentiary Issues in International Disputes Related to State Re-
sponsibility for Cyber Operations, 50 Tex. Int’l L. J. 233, 245-48 (2014).
293. Corfu Channel, supra note 44, at 18; Antonopoulos, supra note 256.
294. Pulp Mills, supra note 45, at 71 para. 164.
295. Corfu Channel, supra note 44, at 51 (Judge Winiarski), 65 (Judge Badawin Pa-
sha), 127 (Judge ad hoc Ečer); Tallinn Manual, supra note 25, rule 7 cmt para.
3.
297. Pulp Mills, supra note 45, at 71 para. 164; Nicaragua, supra note 43, at 59-
60 para. 101; Markus Benzing, Procedure, Evidentiary Issues, in The Statute
238
Liu
to a clear and convincing standard to discharge their burden in an
international tribunal.
3. Overcoming the Evidentiary Hurdle: Standard of Proof

Typically, a failure in due diligence will be raised after the victim State
(“applicant”) suffers injury. The issue turns to causation. How does
the applicant gather sufficient evidence to establish that actual or
constructive knowledge triggered the territorial State’s (“respondent”)

cyber-diligence obligation?298 The applicant will struggle to establish
their case absent the respondent’s assistance or at least consent to
evidence collection.299
The I.C.J. acknowledges that victim States face evidentiary
difficulties, allowing a “more liberal recourse to inferences of fact
and circumstantial evidence . . . provided that they leave no room for
reasonable doubt.”300 But the standard of proof in an international
tribunal should not be lowered “simply because it is . . . difficult to
reach.”301 The standard “[protects] the respondent against false
attribution . . . a particularly serious risk in the cyber context.”302
The applicant must produce reliable and neutral evidence to establish
that the respondent at least ought to have known of the cyberattack.303
They could rely on experts to adduce logs of the respondent’s network
behaviour during the cyberattack.304 An international tribunal may
of the International Court of Justice: A Commentary 1245 (Andreas

Zimmermann et al. eds, 2012).
298. Brownlie, supra note 252, at 45; cf. Koskenniemi, supra note 252, at 50; Corfu
Channel, supra note 44, at 65 (Judge Badawin Pasha) (stating a causal nexus
between Albania’s failure to prevent laying of the minefield and the explosion
must be established).
300. Corfu Channel, supra note 44, at 18; but see Marco Roscini, Evidentiary Issues
in International Disputes, in Ohlin, Govern & Finkelstein eds, supra note 25,
at 244 (citing Reply of Bosnia and Herzegovina, Genocide Case, para. 839, 91
Int’l Ct of Just. (Apr. 23, 1998)).
301. Roscini, supra note 292, at 251.
302. Id.
303. Benzing, supra note 297, at 1267.
304. Whaling in the Antarctic (Austl v. Japan: N.Z. Intervening), Judgment, I.C.J.
239
Liu
commission its own experts to evaluate the reliability of such evidence.305
The applicant may also produce documentary data and press reports306
to establish the respondent had sufficient information to make further
inquiries into the cyberattack, but failed to do so.
Some commentators advocate for a “very liberal approach
to evidence [in cyberspace].”307 They contrast the anonymity of
cyberattacks against kinetic threats, which are physically traceable,
before, during, and after the attack.308

However, the primary rule invoked in a matter determines the
standard of proof.309 International tribunals should not adopt a low
standard of proof in due diligence matters. As Durward Sandifer argues:
“in dealing with sovereign States . . . it cannot lightly be presumed that
one of the parties to the litigation is guilty of negligence.”310 Doing so
may result in evidence of low probative value establishing a breach
of due diligence, which would undercut the presumption that States
observe international law.311 Conversely, the standard of proof should
not be so “unduly exacting” that it becomes impossible to meet.312
Rep. 2014 (Mar. 31), p. 226, 237 paras 18-20, 255-57 paras 73-82, 283 paras
188-90, 290-93 paras 217-227; The South China Sea Arbitration (The Republic
of Philippines v. The People’s Republic of China), Perm. Ct. Arbitration Case
No. 2013-19, (July 12, 2016), paras 297, 978-83, 1084-1108; Benzing, supra
note 297, at 1268.
305. Id.
306. But see Armed Activities on the Territory of the Congo (Dem. Rep. Congo
v. Uganda), Judgment, I.C.J. Rep. 2005 (Dec. 19), p. 40 para. 62 (hereinafter
“Armed Activities”).
307. Antonopoulos, supra note 256, at 64.
308. Matthew C. Waxman, The Use of Force Against States the Might Have Weapons
of Mass Destruction, 31 Mich. J. Int’l L. 1, 62 (2009).
309. Shabtai Rosenne, The Law and Practice of the International Court
1043 (4th ed., 2006).
310. Durward V. Sandifer, Evidence Before International Tribunals 170
(1975); see also Cheng, supra note 252, at 323-26; Mojitaba Kazazi, Burden
of Proof and Related Issues: A Study on Evidence before Interna-
tional Tribunals 336-37 (1995).
311. Corfu Channel, supra note 44, at 72 (Judge Krylov).
312. Case of Certain Norwegian Loans (Fr. v. Nor.), 1957 I.C.J. Rep. 9, 39 (July
6) (Judge Lauterpacht); Pulp Mills, supra note 45, at 230 paras 25-26 (Judge
240
Liu
“Clear and convincing” should be the standard of proof to establish
knowledge. The applicant ought to produce “sufficiently clear”313
and weighty evidence to meet the standard.314 The applicant could
realistically gather sufficient evidence to establish a reasonable inference
of the respondent’s constructive knowledge.315 The standard also
precludes international tribunals finding violations of international law
based on unconvincing evidence,316 especially given these proceedings
rarely have appeal mechanisms.317

However, cyberattacks may regularly implicate governmental
cyber-infrastructure in particular States.318 This paper argues that an
applicant establishes constructive knowledge to a clear and convincing
standard if it adduces evidence of:
1. a sustained pattern of association between cyberattacks
causing serious injury and the respondent’s governmental
infrastructure;319 and
2. the same infrastructure’s involvement in the applicant’s

incident.
Greenwood).
313. Case Concerning Oil Platforms (Islamic Republic of Iran v U.S.), 2003 I.C.J.
Rep. 168, 200 para. 58 (Nov. 6).
314. Armed Activities, supra note 306, at 205 para. 72, 209 para. 91, 220 para. 136;
Nicaragua, supra note 43, at 24-25 para. 29; Trail Smelter, supra note 45, at
1965.
315. Cheng, supra note 259, at 325.
316. Roscini, supra note 292, at 252-53; Kazazi, supra note 310, at 337; see also
Nicaragua, supra note 43, paras 62, 109.
317. Kazazi, supra note 310, at 337.
318. Id.; Czosseck, supra note 9, at 23.
319. “[W]here the act complained of is only one in a series of similar acts, the repeti-
tion of which [would] raise a presumption in favor of the [authorities’] knowl-
edge and . . . corresponding accountability.” 3 John Bassett Moore, Histo-
ry and Digest of International Arbitrations to which the United
States has been a Party 3030, 3042 (1898) (citing Wipperman case) (empha-
sis added).
241
Liu
Propensity then assists an applicant to overcome a lack of probative
evidence if confronted with an uncooperative territorial State. It also
incentivizes States to secure (at least) their governmental infrastructure.
But the approach does not prejudice States who lack the capacity to
safeguard their governmental infrastructure.320
Questions of a State’s actual or constructive knowledge are
contingent on a judicial forum’s evidentiary standards. Together, they
form the “knowledge” element to trigger cyber-diligence obligations. A

threshold of constructive knowledge proven to a clear and convincing
standard has been advanced. This paper now turns to the second
trigger-element: injury.
B. What Level of Injury Engages A Cyber-Diligence Duty?

Injury is not a pre-requisite to finding an internationally wrongful act
under the laws of State responsibility.321 Once a breach is attributed to a
State, responsibility is potentially engaged, subject to application of the
primary rule.322 In the context of due diligence, however, damage is a
condition to finding a violation of the primary rule.323 A State who failed
to exercise cyber-diligence is only liable for breaching the primary rule
after hostile acts, contrary to another State’s legal rights, occur.324 When
“due diligence is violated, there is an attribution to the State . . . of the
consequences of the acts of [private] persons.”325
320. See infra, V.

321. Articles on State Responsibility, supra note 11, at 32 art. 1; Stern, supra note
33, at 194; Attila Tanzi, Is Damage A Distinct Condition for the Existence of An
Internationally Wrongful Act?, in United Nations Codification on State
Responsibility 3 (Marina Spinedi & Bruno Simma eds, 1987); Malcolm N.
Shaw, International Law 403 (7th ed., 2014).
322. Articles on State Responsibility, supra note 11, at 34, 36 art. 2 cmt paras 3, 9;
Crawford, supra note 55, at 65; Crawford, supra note 200, at 308.
323. Economides, supra note 60, at 377; Schmitt ed., supra note 25, rule 6 cmt para.
5; Brownlie, supra note 252, at 154.
324. Articles on State Responsibility, supra note 11, at 92 art. 31 cmt (6); Corfu Chan-
nel, supra note 44, at 22; Asian Agricultural Products Ltd., supra note 280, para.
85(c); Tehran Hostages, supra note 30, at 31 [63]; Pulp Mills, supra note 30, at
55-56 para. 101; UNCLOS, supra note 144, art. 194.
325. Stern, supra note 33.
242
Liu
Not all cyberattacks engage a State’s cyber-diligence obligation.326
Due diligence obligations derive from States’ sovereign equality.327
States must exercise cyber-diligence to disable cyberattacks which
detrimentally affect the legal rights of other States.328 Responsibility
attaches when a cyberattack infracts the “theoretical inviolability” of a
national legal order. Cyber-diligence obligations “re-establish the status
quo erat.”329 With that in mind, this section defines “serious injury” to
trigger States’ cyber-diligence obligations.

The Tallinn Manual defines an “unlawful [cyber] act” as “all cyber
activities from one State’s territory that affect the rights of other States
[producing] a negative effect.”330 The definition covers any operation
affecting “sovereignty”: a lower level of injury compared to an act of
interference331 or armed force.332
However, when is “a negative effect” of sufficient gravity to trigger
cyber-diligence? Jurisprudence and the literature establish a context-
dependent standard of serious injury. In Trail Smelter, the arbitral
tribunal stated “no State has the right to use or permit the use of its
territory in such a manner as to cause injury . . . when the case is of
serious consequence.”333 Some commentators state that “serious injury”
triggers the duty, without further explanation.334 The Tallinn Manual
ambiguously concludes that “physical damage to objects or injuries to
326. See infra, III.B.

327. See infra, II; Nicaragua, supra note 43, at 106-107 para. 202; Corfu Channel,
328. Tehran Hostages, supra note 30, at 32-33 paras 67-68; Trail Smelter, supra note
45, at 1905, 1965; Schmitt ed., supra note 25, rule 1 cmt para. 6.
329. Cheng, supra note 252, at 170.
331. Nicaragua, supra note 43, at 107-08 para. 205; Oona Hathaway, The Drawbacks
and Dangers of Active Defense, in Proceedings of the 6th International
Conference on Cyber Conflict 49 (Pascal Brangetto, Markus Maybaum &
Jan Stinissen eds, 2014).
332. Shackleford, supra note 81, at 218-19; Schmitt ed., supra note 25, rule 5 cmt
para. 5.
333. Trail Smelter, supra note 45, at 1905, 1965.
334. Pirker, supra note 34, at 204.
243
Liu
individuals is not necessarily required.” 335
“Serious injury” is determined in retrospect. The concept does
not define what measures a State should take during the occurrence
of the injury. In small-scale cyberattacks targeting limited networks,
the entire cyberattack operation could have already concluded once
“serious injury” has occurred. Further cyber-diligence measures will
be pointless. But in sustained cyberattack operations targeting multiple
sectors, initial “serious injuries” should trigger cyber-diligence

obligations. This prevents further injuries to other networks.336
This paper splits potential injuries from cyberattacks into descending
categories.337 We argue that categories (1) and (2) amount to “serious
injury” capable of triggering a State’s cyber-diligence obligation. The
types of injury listed are non-exhaustive, but represent differing levels
of severity.
1. Injury to Persons or Loss of Life; Physical Damage or Destruction of

Objects
Cyberattacks which cause physical damage equivalent to conventional
attacks could constitute armed force or armed attack (when launched
by a State).338 While discussions of jus ad bellum are beyond this paper’s
scope, several observations should be made.
First, category 1 represents cyberattack injury of the highest severity.
Any physical harm to persons or objects would trigger a territorial
State’s cyber-diligence obligation.339 But it is very rare for a cyberattack
to cause category 1 damage. Predictions of cyberattacks which cause
335. Schmitt ed., supra note 25, rule 1 cmt para. 6, rule 5 cmt para. 5; Schmitt &
Watts, supra note 152, at 4-5.
336. See Radziwill, supra note 36, at 81-83.
337. NATO CCDCOE, Tallinn Manual 2.0 Approach to State Responsibility (2015)
available at https://www.youtube.com/watch?v=1o8uuZsPvms (last visited
Apr. 17, 2016).
338. U.N. Charter, art. 2(4), 51; Schmitt ed., supra note 25, rule 11; Yoram Din-
stein, Computer Network Attack and Self-Defense, 76 Int’l L. Stud. 99, 103
(2002); Barkham, supra note 81, at 80; Schmitt, supra note 28, at 914; Albrecht
Randelzhofer & Oliver Dörr, Article 2(4), in The Charter of the United
Nations: A Commentary 208 (Bruno Simma ed., 3rd ed. 2012).
244
Liu
chaos by shutting down air-traffic control, dams or transportation
infrastructure remain hypothetical. Some argue that attacks on critical
national infrastructure (such as water supply and electricity grids) would
likely lead to secondary consequences of physical injury to persons and
objects.340 An attack on one critical network has a “synergistic effect,”341
propagating injury to other connected physical infrastructures.
Such conclusions need to be balanced. The scale and duration
of a cyberattack and the effectiveness of the target State’s response

determines the likelihood of category 1 injuries. In 2015, for the first
time, a cyberattack struck an electricity grid, in Ukraine. The attackers
hijacked Supervisory Control and Data Acquisition (“SCADA”) systems
in seven substations,342 disconnecting power to 225,000 Ukrainians for
three hours. Some had anticipated an “electronic Pearl Harbour” once
a cyberattack hits an electric grid.343 This did not occur. The Ukrainian
energy providers shifted to manual operations and restored electricity
quickly. No physical damage to infrastructure occurred.344
Second, as yet, only State organs are equipped and motivated to
inflict material injury using cyber-offensive capabilities.345 Such a
cyberattack would automatically be considered an act of the State.346
Liability turns on attribution and the breach of an international
340. Marco Roscini, Cyber Operations as A Use of Force, in Tsagourias & Buchan
341. Dana Shea, Critical Infrastructure: Control Systems and the Ter-
rorist Threat CRS-8 (2003).
342. SCADA systems control networks operating plants and equipment in in-
dustrials such as energy, electricity, transportation and water control. Nat’l
Communications System, Supervisory Control and Data Acquisition
(SCADA) Systems 4 (Technical Information Bulletin 04-1, 2004).
343. Shackleford, supra note 81, at 195; see also Ahmad Kamal, The Law of Cyber-
space: An Invitation to the Table of Negotiations 69 (U.N. Institute of Training
& Res., 2005); Jack Goldsmith, How Cyber Changes the Laws of War, 24 Eur. J.
Int’l L. 129, 133 (2013); Shea, supra note 341, at CRS-8.
344. Electricity Information Sharing and Analysis Center, Analysis of
the Cyber Attack on the Ukrainian Power Grid v-vi (2016), https://ics.
sans.org/mmedia/E-ISAC_SANS_Ukraine_DUC_5.pdf.
345. Terry D. Gill, Non-Intervention in the Cyber Context, in Ziolkowski ed., supra
note 9, at 235; U.N. Institute for Disarmament Res., supra note 24, at 3.
346. Genocide Case, supra note 30, at 202 para. 385.
245
Liu
obligation. Questions of whether a State failed to prevent the injury
emanating from their territory become immaterial. A State may forego
invoking intermediary cyber-diligence breaches if the injury is serious,
preferring to treat it instead as armed force or armed attack so as
to enliven jus ad bellum. Non-State hacktivists rarely (if ever) cause
physical injury. Hackers instead inundate networks with DDOS attacks
or implant malware and extract information.347
Third, no reported cyberattack has yet caused injury to persons

or loss of life.348 Some have come close: hackers infiltrated a hospital
network and lethally altered a patient’s dosages, only to be discovered
by a nurse before the drug was administered.349 Debate exists about
whether the 2010 Stuxnet virus actually caused physical damage to
Iranian centrifuges.350 Stuxnet took control of SCADA networks,
manipulated data and controlled the processing speed of centrifuges.
One commentator argues that the injury suffered was a mere usurpation
of the SCADA networks and not injury to the physical integrity of
the centrifuges.351 Apart from Stuxnet, to date, we have been unable
to identify a single cyberattack which has caused physical damage to
a network’s physical components and not merely destroying data or
incapacitating network functions.352
Cyberattacks overloaded and temporarily suspended networks in
the Estonian and Georgian incidents.353 But, despite social and economic
disruptions, no network reportedly suffered destructive or permanent
347. Cf. Barkham, supra note 81, at 88.

349. Howard L. Steele Jr., The Prevention of Non-Consensual Access to “Confidential”
Health-Care Information in Cyberspace, 1 Computer L. Rev. & Tech. L. J. 101,
102 (1997).
350. Roscini, supra note 340, at 243-44; Terry D. Gill, Non-Intervention in the Cyber
Context in Peacetime Regime, in Ziolkowski ed., supra note 9, at 235.
351. Katharina Ziolkowski, Stuxnet: Legal Considerations 4-5 (NATO Cooperative
Cyber Defence Centre of Excellence, Tallinn 2012); William J. Broad, Report
Suggests Problems with Iran’s Nuclear Effort, N.Y. Times (Nov. 23, 2010), http://
www.nytimes.com/2010/11/24/world/middleeast/24nuke.html?_r=0; Nicho-
las Falliere, Liam O Murchu & Eric Chien, W32. Stuxnet Dossier (Research
Paper Version 1.4, Symantec Security Response, 2011).
352. See Radziwill, supra note 36, at 58-60.
353. Tikk, Kaska & Vihul, supra note 85.
246
Liu
injuries. A rigid requirement of physical damage or destruction
(perhaps more suited to conventional attacks)354 is inappropriate for
cyber-diligence. The cyber-diligence obligation prevents injury to
cyber networks and infrastructure. A lower level of damage should
also trigger cyber-diligence. One commentator notes: “the dependency
of modern societies on [computer] networks has made it possible to
incapacitate physical infrastructures without destroying them.”355

2. Loss of Network Functionality356
Most cyberattack methods disrupt target networks. Cyberattacks could
overwhelm a network with botnet requests, cause system malfunction,
or otherwise degrade the quality of network services.357 Herbert Lin
distinguishes between a (destructive) “cyberattack” and a (non-
destructive) “cyber-exploitation”.358 The former renders a network
unavailable, or undermines the network’s integrity, without destroying
any physical components.359 For instance, DDOS attacks on Estonian
infrastructure temporarily reduced accessibility to crucial services in
the financial, telecommunications, media, and government sectors.360
The attack significantly hindered the ability to conduct financial
transactions, resulting in losses to industry and Estonian citizens.361
This paper argues that once a cyberattack causes serious disruptions
to a network’s proper functioning, the cyberattack is then “destructive”,
354. Waxman, supra note 28, at 425.

356. For a (fictional) example, see Int’l L. Students Ass’n, 2016 Jessup Compromis:
Special Agreement Between the State of Amestonia and The Federal Republic
of Riesland paras 37-38 (2016), https://www.ilsa.org/jessup/jessup16/.
357. Herbert S. Lin, Offensive Cyber Operations and the Use of Force, 4 J. Nat’l Sec.
L. & Pol’y 63, 69-70 (2010).
358. Id. at 67.
359. Id.
360. Radziwill, supra note 36, at 81; Kerschischnig, supra note 267, at 61.
361. United Press International, E.U. Seeks Unified Cybersecurity Regime
(2011), available at http://www.upi.com/Top_News/Special/2011/06/16/
EU-seeks-unified-cybersecurity-regime/UPI-87891308219420 (last visited
Aug 16., 2016).
247
Liu
and constitutes “serious injury.”362 Cyber-diligence obligations should
be triggered as soon as the primary injury incapacitates a network, rising
to the level of “destructiveness.”363 The disruption should not simply be
inconvenient, but should have a substantially detrimental effect “on the
ability of the owner or operator to use the system, or communicate with
other systems.”364 The Budapest Convention on Cybercrime (“Budapest
Convention”) defines system interference as “the serious hindering …
of a computer system by inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data.”365 This definition

could be applied to determine whether a cyberattack is “destructive”.366
A progressive interpretation of “destructive” should extend
beyond damage which mirrors that of a kinetic attack. Given network
interdependency, cyberattacks could cause consequent harm to
society without physical destruction. For example, submarine cables
facilitate inbound and outbound internet traffic. A cyberattack on a
network which controls submarine cables could affect operations in the
telecommunications, finance, and transportation industries.
Secondary “flow-on” effects are often the primary intention of a
cyberattack.367 The level of cyber-diligence employed should account
for whether the primary interference could cause great harm.368 Due
diligence standards change according to “new scientific or technological
knowledge [and] risks involved in the activity.”369 Primary injury to
362. See Roscini, supra note 340, at 247; Committee on Offensive Information War-
fare, supra note 25, at 254.
363. Will Goodman, Cyber Deterrence: Tougher in Theory than in Practice?, 4
Strateg. Stud. Q. 103, 111 (2010); Id. at 40-41.
364. Kamal, supra note 343, at 52.
365. European Convention on Cybercrime, supra note 122, art. 5; The Constitution
and Convention of the International Telecommunication (ITU), 1825 U.N.T.S.
3, entered into force Jan. 1, 2000, art. 39(2); Kerschischnig, supra note 267, at
163.
366. Kamal, supra note 343, at 52.
367. Committee on Offensive Information Warfare, supra note 25, at 80.
368. Lin, supra note 357, at 68; Directive 2004/35/CE of the European Parliament
and the Council on Environmental Liability with Regard to Prevention and
Remedying of Environmental Damage, art. 2(2), 2004 O.J. (L. 143/56).
369. Seabed Mining, Advisory Opinion, supra note 30, at 10, [117].
248
Liu
certain infrastructures could disrupt downstream access to essential
service(s) for a protracted period.370 If predictions of cyberattacks on
health systems or transportation infrastructure materialise, the standard
of cyber-diligence should rise to correspond to the increased risk.
States should be obligated, with reference to the primary infrastructure
affected, to take proportionate action to prevent or reduce secondary
injuries (to the extent possible).371

3. Cyber-Exploitations
The third category of “injury” results from stealthily executed cyber
activities, unknown the victim. “Cyber-exploitation” describes an
activity intended to clandestinely access and exploit a network’s
vulnerabilities without disturbing the network’s operation.372
Intelligence gathering operations most frequently cause this “injury”.373
Hackers emplace malware into a network to collect information for
economic or political purposes. Cyber-exploitations could also probe
a network for vulnerabilities in preparation for future cyberattacks.374
The term “injury” is hesitantly used to refer to category (3). It is
unclear what injury cyber-exploitation actually causes to a victim State.
“[An] infringement of rights or legally protected interests” activates
cyber-diligence obligations.375 The question turns on whether peacetime
cyber-exploitation infringes a target State’s territorial sovereignty.376
Arguably, covert cyber-exploitations which intrude on a network
and extract data violate the “honor, dignity or prestige of a State”,377
370. Waxman, supra note 308, at 45; Lin, supra note 357, at 68; Committee on
Offensive Information Warfare, supra note 25, ch. 1.8.3. Legal and Ethical
Findings.
371. Seabed Mining, Advisory Opinion, supra note 30, para. 117; Draft Articles on
Transboundary Harm, supra note 78, at 153-54 art. 3 cmt para. 11.
372. Kamal, supra note 343, at 40-41.
373. Lin, supra note 357, at 63-64.
375. Crawford, supra note 55, at 55; Articles on State Responsibility, supra note 11,
at 34, 36 art. 2 cmt paras 9, 91, 92 art. 31 cmt para. 5.
376. Kathryn Jane Browne, Peacetime Espionage in International Law: From State
Practice to First Principles, ALSA Acad. J. 4, 5 (2016).
377. Differences Between New Zealand and France Concerning the Interpretation
249
Liu
constituting injury “of a moral, political and legal nature.”378 Some
commentators argue that cyber-espionage “can result in harm to
the country at least as severe as a physical attack.”379 Nonetheless,
the legality of peacetime cyber-espionage is highly disputed.380 Data
collection programs including Ghostnet, PRISM and Tempora
continue,381 implicitly tolerated by States, who “will not want to deprive
themselves of this tool.”382 There is no clear answer as to whether cyber-
exploitations constitute “serious injury” for cyber-diligence purposes.
Invoking another State’s failure to prevent cyber-exploitation will likely

be perceived as hypocritical.383
The Committee on Offensive Information Warfare notes that “the
distinction between cyberattack and cyber-exploitation may be very
hard to draw from a technical standpoint and may lie primarily in the
intent of the user.”384 Indeed, a single cyberattack can cause category
(2) and (3) effects. A hacktivist might plant monitoring software and
or Application of Two Agreements, Concluded on 9 July 1986 between the Two

States and which Related to the Problems arising from the Rainbow Warrior
Affairs (N.Z. v. Fr.) (1990) 20 RIAA 215, 266-267 paras 107-09 (hereinafter
“Rainbow Warrior”).
378. Id. at 267 para. 110.
379. Goldsmith, supra note 343, at 133.
380. Russell Buchan, Cyber Espionage and International Law, in Tsagourias & Bu-
chan eds, supra note 35, at 168; Katharina Ziolkowski, Peacetime Cyber Espio-
nage: New Tendencies in Public International Law, in Ziolkowski ed., supra note
9, at 425; see also Myres McDougal, Harold Lasswell & Michael W. Reisman,
The Intelligence Function and World Public Order, 46 Temp. L. Q. 365 (1973);
C.R.D. Scott, Territorially Intrusive Intelligence Collection and International
Law, 46 Air. For. L. Rev. 217 (1999); Simon Chesterman, The Spy Who Came
in from the Cold War: Intelligence and International Law, 27 Mich. J. Int’l L.
1071 (2006).
381. Information Warfare Monitor, Tracking Ghostnet: Investigating a Cyber Espi-
onage Network (Investigation Report, 2009); The Right to Privacy in the Digi-
tal Age, G.A. RES. 68/167, U.N. GAOR, 68th sess., plen. mtg C.3, U.N. Doc. A/
RES/54/254 (Jan. 21, 2014).
382. Ziolkowski, supra note 380, at 464.
383. Browne, supra note 376, at 7.
384. Committee on Offensive Information Warfare, supra note 25, ch. 1.6.
The Legal Framework Governing Cyberattack.
250
Liu
a “logic bomb” into a system at the same time.385 The two infiltrations
complement each other: the software assesses the network’s
vulnerabilities and determines a “sweet spot” to trigger the logic bomb,
so as to cause the most injury. The (initially) non-destructive operation
can mature, in real time, into a destructive cyberattack.
Successful cyber-exploitation, which operates within a network,
normally goes unnoticed.386 Cyber-diligence cannot be triggered
without sufficient knowledge and should only be triggered when

destructive effects materialise.
4. Cyber-Vandalism, Irritation and Computer Crime

The Tallinn Manual regards “mere irritation or inconvenience” as not
of sufficient seriousness to trigger cyber-diligence.387 Low-intensity
cyber-vandalism does not cause serious disruption to a State and is
appropriately classified as a domestic cybercrime under the Budapest
Convention.388 85% to 97% of all cybercrimes are not revealed let
alone prosecuted.389 Such laxity in enforcement demonstrates States’
passive tolerance of low-intensity cybercrimes.390 To counter “close
to unlimited” instances of cyber-vandalism,391 States should improve
domestic cybercrime regulation and dedicate cyber-diligence resources
to preventing higher categories of injury.
Marco Roscini argues that defacement alters computer data
and should be characterized as a disruptive cyberattack (category 2
385. Goodman, supra note 363; Kamal, supra note 343, at 40-41. A tactic known as
the “malware time-bomb” was used in the Georgia incident, where hacktivists
planted “time-bombs” to cause further damage upon the occurrence of a trig-
ger event.
386. Lin, supra note 357, at 79; Goldsmith, supra note 343, at 131.
387. Schmitt, supra note 56, at 75-76.
388. European Convention on Cybercrime, supra note 122, art. 4; Kamal, supra
note 343, at 52-53.
389. Victor Sabadash, A Latency of Computer Crimes (Computer Crime Res. Ctr,
2004), available at http://www.crime-research.org/articles/sabad03_2004/ (last
visited Sep 1., 2016).
390. Kamal, supra note 343, at 52-53.
391. Radziwill, supra note 36, at 78.
251
Liu
injury).392 But it is difficult to see how defacement and propaganda goes
beyond “visual corruption of public webpages”.393 Defacement may
be considered offensive or even slanderous, depending on the target
State’s political orientation. But unlike “destructive” cyberattacks,
defacement merely causes superficial injuries to a network. Hacktivists
intend to transmit unwanted political messages, not to overthrow
a regime.394 Oppenheim’s International Law notes that due diligence
obligations do not extend to “suppress[ing] criticism of, or propaganda
directed against, other States or governments on the part of private

persons.”395 Roscini himself recognizes that defacement is “relatively
innocuous [and] psychological.”396 Cyber-diligence should not “imply
an obligation to suppress all such conduct [inimical to] the regime or
policy of a foreign State.”397
Despite the difficulties of retrospectively evaluating “serious injury”,
this threshold reflects States’ concerns about cyberattacks which disable
infrastructural operations. Under our formulation, cyber-exploitation
and defacement fall below the threshold. States would likely avoid
burdensome cyber-diligence for cyber activity of low-intensity, largely
tolerated internationally.
The final section outlines hypothetical cyberattack scenarios and
explores whether best-practice exchanges could set an implicit standard
of cyber-diligence.

393. Radziwill, supra note 36, at 76; e.g., Kerschischnig, supra note 267, at 65.
394. Jenning & Watts eds, supra note 14, at 393-94.
395. Id. at 393.
397. Jenning & Watts eds, supra note 14, at 393; see also Radziwill, supra note 36,
at 78.
252
Liu
V. ASSESSING BREACH OF THE CYBER-
DILIGENCE OBLIGATION
The preceding sections define the contents and triggers of cyber-dili-

gence obligations. This paper now discusses violation of the primary
obligation.
Breach of the primary obligation fastens on a State’s knowledge,

capacity to prevent, and the level of injury caused. Pierre-Marie Dupuy
states: “the true breach of an obligation of conduct is the breach of an
obligation to behave (in a legally defined way).”398 The accusing State
needs to establish that they would not have suffered injury, or would
have suffered less injury, if the accused State exercised cyber-diligence.
Injury is not the decisive element. Breach is evaluated according to
whether, at the origin of the injury, a State failed to do all it could to
prevent the end result.399 As soon as a territorial State does not take
all appropriate measures to stop a cyberattack, the cyber-diligence
obligation has been violated.400
The obligation, articulated in theory, does not capture the infinite
scenarios which may arise in practice, including when:401
1. A lesser-able State puts their limited capacity to diligent use,
doing all they can to stop a cyberattack.
2. A State has sound cyber-capabilities in general, but is

“resource-poor” at the time of the cyberattack. The State
may have allocated intense resources to other priorities and
is unable to terminate the cyberattack.
3. A State with sound cyber-capabilities, both generally and

at the time of a cyberattack, decides not to terminate the
cyberattack.
398. Dupuy, supra note 69, at 379.

399. Id.; Second Report on State Responsibility, U.N. Doc. A/CN.4/498, 28 [86]; cf.
Crawford, supra note 201, at 310.
401. Becker, supra note 202, at 151-52.
253
Liu
These situations are highly abstract and all presuppose that a State
has requisite knowledge and that the cyberattack causes serious injury.
Variable factors across these situations determine breach. Assessment
of breach ought to be “realistic and context-sensitive,”402 particularized
to the circumstances in question. Theoretically, the State in situation
(1) has exercised cyber-diligence to the extent of their capabilities,
satisfying the obligation. The State in situation (3) has, by contrast,
failed to do all it could to stop the cyberattack, and breaches their
obligation. Situation (2) is less clear: international law does not dictate
States’ domestic resource-allocation.403
In reality, establishing responsibility is not straightforward. To
evade responsibility, an accused State could claim:
1. they exercised their best efforts, yet still failed to achieve a
result in the face of new cyberattack methods;
2. a lack of capacity at the time of a cyberattack, given other

exigencies;404 or
3. they lacked sufficient knowledge of the cyberattacks.
The accusing State then bears the unenviable burden of establishing

breach.
Predicting a breach of cyber-diligence with confidence is difficult.
First, there is no minimum standard of cyber-diligence to measure
compliance against.405 Second, a State’s acquiescence to a cyberattack
is also likely to be covert and publicly denied.406 Third, cyber-diligence
is a “moveable target”, constantly evolving as cyberspace technology
develops.407
402. Trapp, supra note 63, at 73; Genocide Case, supra note 30, at 221-22 paras 430-
431; Tehran Hostages, supra note 30, at 31 paras 63-64; Asian Agricultural Prod-
ucts Ltd., supra note 280, para. 85.
404. Becker, supra note 202, at 151-52.
405. Cf. Pulp Mills, supra note 97, at 66-67.
406. See also Philippines v. China, supra note 146, para. 754.
407. Seabed Mining, Advisory Opinion, supra note 70, para. 117.
254
Liu
The 2015 G.G.E. report recommended that the U.N. “consider
initiatives for international dialogue and exchange on ICT security
issues.”408 A C.D.C. which encompasses “U.N. agencies, the private
sector, academia and civil society organisations”409 could facilitate best-
practice exchanges. S.C. Resolution 1377 invited the C.T.C. to promote
counter-terrorism best-practice and prepare model laws.410 A C.D.C.
could do the same, and implicitly define an expected standard of care
for cyber-diligence between member States.

Best Management Practices (“BMPs”) in counter-piracy provide
a useful example of the best-practices approach to solving problems.
Devised by the International Marine Organisation and the shipping
industry, the BMPs increased vessels’ successful resistance to piracy
by 25%.411 Adopting these self-help recommendations (including such
matters as speed, security equipment, and watchkeeping) were in the
vessels’ best interests. Compliance minimized insurance premiums and
decreased the probability of pirate capture.412
There is no guarantee that adopting and disseminating best-
practice will achieve these results for cyber-diligence. Cyber-powers or
private industries must be willing to share their (actual) best-practices
before any dialogue improves cyber-diligence capabilities. Private
industry could monetise cyberattack prevention capabilities and offer
their services to the highest bidder. There is limited transparency in
cybersecurity efforts:413 States and industry are unlikely to openly
disclose the full extent of their technical capacity.414 Improving cyber-
diligence may not be favourable to the geopolitical agendas of some

and Telecommunications, U.N. Doc. A/70/174, 10 [18], 13 [33].
409. Id. at 11 para. 21(g).
410. S.C. Res. 1377, UNSCOR, 4413th mtg, U.N. Doc. S/RES/1377 (Nov. 12, 2001)
Annex 3.
411. House of Commons Foreign Affairs Committee, Piracy Off the Coast of Soma-
lia 19-20 (2012), available at www.parliament.uk (last visited Oct. 10, 2016).
412. Douglas Guilfoyle, Somali Pirates as Agents of Change, 1Camb. J. Int’l & Comp.
L. 81, 101-02 (2012).
413. U.N. Institute For Disarmament Res., supra note 24, at 1-2.
414. Id. at 1-3; International Telecommunications Union, supra note 17, at 29; Moore,
255
Liu
States;415 an unregulated cyberspace “gives [States] more room to
explore new ways of projecting power.”416
Despite these barriers, a number of States have submitted voluntary
reports on domestic cybersecurity practices in 2015417 and 2016.418 We
hope that cyber-defence technology matures and is shared through
best-practice dialogue. It remains unclear whether best-practice
compliance will become attractive to States.
VI. CONCLUSIONS
Our world is increasingly digital. Cyber-infrastructure now underpins

many of the essential features of a modern society. Cyberspace per-
vades our lives and the dangers of its ill-use are publicly recognized.
Citizens reap the benefits of cyber-technology, at the same time expect-
ing governments to shield them from transnational cyber-threats.419
On interconnected threats, the U.N. Secretary General has
remarked: “we must found a new security consensus, the first article
of which must be that . . . whatever threatens one threatens all.”420
Indeed, cyber-technology disregards political and cultural borders and
grants unlimited reach to private actors. But there is no need to panic.
415. Jason Fritz, How China will Use Cyber Warfare to Leapfrog in Military Compet-
itiveness, 8 Cult. Mandala 28 (2008).
417. Report of the Sec’y General, Developments in the Field of Information and
Telecommunications in the Context of International Security, 70th sess., item
93, U.N. Doc. A/70/172 (July 22, 2015).
418. Report of the Sec’y General, Developments in the Field of Information and
Telecommunications in the Context of International Security, 71th sess., item
94, U.N. Doc. A/71/172 (July 19, 2016).
419. Cass R. Sunstein, Laws of Fear: Beyond the Precautionary Principle
41-45, 96-97 (2005); Eric Windholz, Testimonial: Public International Law Ca-
reers Guide (2016), available at http://www.monash.edu/law/centres/castan-
centre/careers-guide/testimonials/eric-windholz (last visited Sep. 2, 2016).
420. Report of the Secretary-General of the United Nations, In Larger Freedom: To-
wards Development, Security and Human Rights for All, U.N. Doc. A/59/2005
(2005), p. 25 para. 81.
256
Liu
Governments, in Cass Sunstein’s words, should “take careful steps to
ensure that laws and policies reduce, and do not replicate, the errors to
which fearful people are prone.”421 The same applies for international
law.
This paper assesses cyber-diligence practically, pre-empting how
States may respond to a range of cyberattack outcomes. It advocates a
narrow model of cyber-diligence under international law. Examining
possible analogies, the paper concludes that the model of counter-

terrorism is most applicable to cyber-diligence. It prepares the
groundwork on defining cyber-diligence obligations should a catalysing
event spur increased cyberspace regulation. Only then, perhaps, can
we gauge States’ receptiveness to increased cyber-diligence duties in
response to public demands. Any obligation of cyber-diligence devised
in response to such a catalyzing event should not be an expansive one.
The obligation should be limited to acquiring capacity and terminating
ongoing cyberattacks. Incorporating a preventive principle from
established models of due diligence overlooks the differences between
transnational threats and transboundary threats. The former flout
jurisdictional control, while the latter can be effectively prevented with
a priori regulations.
This paper offers an alternative argument to the (somewhat radical)
calls for an obligation of cyber-diligence following environmental law
models. Calls for the application of strict models of diligence reflect an
“inaccurate assessment of [the] probability” of serious consequences
from a cyberattack.422 Such a model would risk hyper-regulating
cyberspace to reflect human insecurity. Instead, industry-led preventive
measures should secure infrastructure.
We do not suggest that future cyberattacks could not cause
calamities. But cyberattacks are a minor threat compared to natural
disasters, for example.423 Cyberattacks have not injured individuals and
arguably have not destroyed physical objects. “Serious attacks” affecting
network functionality are few and far between. But the Estonian and
Georgian incidents demonstrate that they can occur.
At a minimum, to establish breaches of cyber-diligence, the victim
421. Sunstein, supra note 419, at 226.

422. Id. at 39; Sunstein, supra note 80, at 120.
423. Sunstein, supra note 419, at 45.
257
Liu
State must produce clear and convincing evidence:
1. of the territorial State’s constructive knowledge, and;
2. that the cyberattack caused category (1) (physical

destruction) or category 2 (incapacitation) injury to objects
or subjects within their territory.
The above elements establish a cyber-diligence framework. It is
hoped that the framework matches States’ concerns in practice and

can guide their cybersecurity policies. Beijing and Washington, from
our opening example, should not bear a cyber-diligence obligation in
relation to defacement of each other’s websites. Even if constructive
knowledge can be established, the hacktivism did not cause injury of
the requisite threshold to trigger the obligation.
Cyber-diligence will continue to be debated within academia before
States employ relevant measures. It is hoped that this paper contributes
a balanced response to the present scholarship.
258
Liu
Footnotes from table in section III.D.
1. Seabed Mining Advisory Opinion (2011) ITLOS Reports 10, paras 218–19.
2. Id. paras 223–26.
3. Id. para. 218; Pulp Mills [2010] I.C.J. Rep. 14, 58 para. 197.
4. Stephen Corones, Competition Law in Australia para. 1.105 (6th ed.
2014).
5. Independent Committee of Inquiry, Hilmer Report 1993 5 (Nat’l
Competition Pol’y, Report by the Independent Committee of Inquiry, 1993).

6. Seabed Mining Advisory Opinion (2011) ITLOS Reports 10, [241].
7. See infra, III.C.
259
Liu
260

Liu, I. Y. (2017) - State Responsibility and Cyberattacks Defining Due Diligence Obligations.

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Liu, I. Y. (2017) - State Responsibility and Cyberattacks Defining Due Diligence Obligations.

Uploaded by

Copyright:

Available Formats

State Responsibility and Cyberattacks

Defining Due Diligence Obligations

Ian Yuying Liu

Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks

The Indonesian Journal of International & Comparative Law

Electronic copy available at: https://ssrn.com/abstract=2907662

1. Hacktivism: the use of cyberattacks to communicate political messages.

Electronic copy available at: https://ssrn.com/abstract=2907662

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

Electronic copy available at: https://ssrn.com/abstract=2907662

sovereigns with powers of enforcement within their territory, States are

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

with respect to “peacetime” cyberattacks, not rising to the level of

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

Hobbesian environment (which is barely 20 years old).38 The author is

A. Due Diligence derives from Territorial Sovereignty in

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

40. Int’l L. Comm., supra note 11, at 32 paras 1, 2.

physical hardware sustaining the domain’s operation.49 Cyberspace, as

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

III. CONTENTS OF THE CYBER-

A. Obligation of Conduct versus Obligation of Result58

ty: The General Part 227 (2013).

adopt burdensome practices. Cybersecurity cannot, as yet, provide

62. See infra, V.

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

not address the precautionary principle, which applies in the absence

A number of these procedural steps constitute custom in

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

incidents: Legal Considerations 60-61 (2010).

C. International Environmental Law

93. See infra, III.E.

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

in its infancy, has seemingly infinite resources.109 Permanent cyberspace

105. Margulies, supra note 35, at 500.

1. The “Polluter Pays” Principle Should Be Adopted113

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

differs from environmental pollution, where a polluting entity alone is

45, entered into force May 30, 1996.

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

criminality” of the cyberattack offence in both the victim State

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

149. Philippines v China, supra note 146, paras 961-66.

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

and environmental law, demonstrating their uniformity.

Extracted Principles Cyber-Diligence Application

“[The obligations] may include · States should:

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

regulatory response can be measured.

E. An Assessment of International Cooperation in Cyberspace162

161. Seabed Mining, supra note 70, para. 218.

State-to-state exchanges of threat information, expertise, and

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

ty Planning (2016), http://www.cpni.gov.uk/Security-Planning/; Euro-

1. deploy their experts to secure critical (and vulnerable) networks

Experts could be exchanged between contracting agencies within

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

State can advance their private interest. States increasingly “[establish

State Responsibility and Cyberattacks: Defining Due Diligence Obligations

196. See Martti Koskenniemi, From Apology to Utopia: The Structure of

of terror . . . and all [other offences] in the international conventions

2. Al-Qaeda and Anonymous: A Comparison

State Responsibility and Cyberattacks: Defining Due Diligence Obligations