State responsibility and cyberattacks: defining due diligence obligations

Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks daily. Information technology-dependent societies increasingly perceive cyber-threats as a destabilising force and citizens inevitably look to the State for protection. This paper concerns one form of State protection: whether States owe due diligence obligations in cyberspace under the laws of State responsibility. Specifically, it re-examines the contents of such an obligation and the circumstances which could trigger it in light of cyberattacks' peculiarities. A straightforward replication of due diligence models from international environmental law or law of the sea is not appropriate. But cyber-diligence should incorporate certain principles found within both models and channel ultimate responsibility for securing cyber-infrastructure onto private industry. Counter-terrorism obligations are the most useful body of law in which to seek an analogy. This paper argues that a State's cyber-diligence obligation is triggered, at a minimum, by: (1) constructive knowledge of a cyberattack, (2) which causes serious injury to an operating network. These contents and triggers define a cyber-diligence framework. Public pressure on the State and the market to intensify responses to transnational cyber-threats will drive the adoption of such principles.