‘Cyber Due Diligence’: A Patchwork of Protective Obligations in International Law

With a long history in international law, the concept of due diligence has recently gained traction in the cyber context, as a promising avenue to hold states accountable for harmful cyber operations originating from, or transiting through, their territory, in the absence of attribution. Nonetheless, confusion surrounds the nature, content and scope of due diligence. It remains unclear whether it is a general principle of international law, a self-standing obligation or a standard of conduct, and whether there is a specific rule requiring diligent behaviour in cyberspace. This has created an ‘all-or-nothing’ discourse: either states have agreed to a rule or principle of ‘cyber due diligence’, or no obligation to behave diligently would exist in cyberspace. We propose to shift the debate from label to substance, asking whether states have duties to protect other states and individuals from cyber harms. By revisiting traditional cases, as well as surveying recent state practice, we contend that – whether or not there is consensus on ‘cyber due diligence’ – a patchwork of different protective obligations already applies, by default, in cyberspace. At their core is a flexible standard of diligent behaviour requiring states to take reasonable steps to prevent, halt and/or redress a range of online harms.


Introduction
Due diligence has recently become a buzzword in the 'cyber domain'. The renewed interest in the concept can be explained by the persistent challenges of factually and legally attributing malicious cyber operations to states. Anonymizing and rerouting techniques, such as virtual private networks (VPNs) and other internet protocol (IP) 'voluntary, non-binding norm' of responsible state behaviour in cyberspace. On the other hand, the group of experts involved in the second edition of the Tallinn Manual on the International Law Applicable to Cyber Operations (hereinafter 'the Tallinn Manual') agreed that a general rule or principle of this kind already exists in customary international law, and is applicable in cyberspace. 6 Rule 6 of the Tallinn Manual requires a state to 'exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states'. 7 On their face, these views seem irreconcilable, and neither of them has gone unchallenged. 8 We contend that the current debate misses the point by focusing too much on the meaning of 'due diligence' and its applicability to cyberspace. This has resulted in binary, 'all-or-nothing' views: either consensus has been reached on what is 'cyber due diligence' or there would be a legal gap in protection -states would have no binding obligations but only voluntary undertakings to behave diligently in their use of ICTs. The confusion partly stems from the inconsistent use of the label 'due diligence' as a general principle of law or international law, one or more state obligations or a standard of behaviour applying in different areas of international law. 9 6 M. Schmitt (ed.), Tallinn Manual 2.0 (2nd ed. 2017) 30, rule 6; 43, rule 7 (hereinafter Tallinn Manual 2.0). 7 Ibid., at 30. The Manual is the result of the work of a group of experts and seeks to comprehensively analyse how international law applies in cyberspace. open-ended working group on developments in the field of information and telecommunications in the context of international security (hereinafter 'OEWG') (11 February 2020), available at https://media.un.org/en/asset/k18/k18w6jq6eg (timestamp 02:15:05, hereinafter ' Argentina's OEWG Statement'); Schondorf, 'Israel's Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations', EJIL: Talk! (9 December 2020), available at www.ejiltalk.org/israels-perspective-on-key-legal-and-practical-issues-concerning-theapplication-of-international-law-to-cyber-operations/; and, albeit in a less clear-cut way, New Zealand, The Application of International Law to State Activity in Cyberspace (1 December 2020), § 17, available at https://dpmc.govt.nz/publications/application-international-law-state-activity-cyberspace; United Kingdom Mission to the United Nations, United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security: Application of International Law to States' Conduct In Cyberspace (3 June 2021), available at https://www.gov.uk/ government/publications/application-of-international-law-to-states-conduct-in-cyberspace-uk-statement, para 10. To avoid those confusions and contradictions, we propose to shift the debate from label to substance. Rather than inquiring whether 'due diligence' applies in cyberspace, the question we should be asking is to what extent states have obligations to protect other states and individuals from cyber harms. In answering this question, we conclude that whether or not a general principle of due diligence applies to ICTs or a binding, cyber-specific 'due diligence rule' exists, states continue to be bound by a patchwork of duties to prevent, stop and redress harm applying by default to cyberspace. These 'protective obligations' are grounded in several primary rules of international law enshrining a standard of due diligence -that is, obligations that require states to exert their best efforts in preventing, halting and redressing a variety of harms, online and offline.
This article begins, in Section 2, by explaining why, despite the longstanding confusion surrounding its exact meaning and scope, we believe that 'due diligence' in international law is better understood as a standard of conduct. This standard usually refers to harm prevention, mitigation and redress, but it varies across the different 'protective' obligations where it is found, as well as the states, circumstances and fields in which they apply. Examples include international environmental law, law of the sea, diplomatic protection, international investment law, international humanitarian law and international human rights law, under treaty or customary international law. 10 Section 3 then explains why the entirety of international law -including the said 'protective' obligations -applies by default to cyberspace, in the absence of a rule to the contrary. This claim is backed by evidence of relevant state practice and expressions of opinio juris.
In what is this article's main contribution to the current academic debate, Section 4 maps out four sets of protective duties requiring states to prevent, halt or redress certain harms by behaving diligently in cyberspace. Two of these can be traced to primary obligations of general international law: (i) the duty of states not to knowingly allow their territory to be used for acts that are contrary to the rights of third states, articulated in the Corfu Channel case, 11 which we call the 'Corfu Channel' principle; 12 and (ii) states' duty to prevent and remedy significant transboundary harm, even if caused by lawful activities, known as the 'no-harm' principle. 13 In addition, specific bodies of international law establish due diligence duties which also apply to cyberspace. Of particular relevance to ICTs are: (iii) the obligation of states to protect human rights within their jurisdiction; and (iv) states' duties to ensure respect for international humanitarian law and to adopt precautionary measures against the effects of attacks in the event of an armed conflict. We locate the legal basis of each of those primary rules in customary or conventional international law, unpack the various standards of due diligence they enshrine and explore the extent to which they apply to states' use of ICTs.
Lastly, Section 5 demonstrates that, despite their multifaceted nature, common features belie different protective obligations. As such, they might apply concurrently and inform one another's interpretation in cyberspace and beyond.
The 'patchwork approach' marks a paradigm shift in the understanding and conceptualization of international law concerning diligent state behaviour in cyberspace.
Though not a silver bullet against current cybersecurity challenges, we conclude that this international legal 'patchwork' of protective obligations does provide a solid and comprehensive legal basis for harm prevention and accountability.

The Nature and Function of Due Diligence in International Law
Despite the renewed interest in due diligence, 14 the concept is not new. Its modern origins can be traced back to a series of 19th and early 20th century arbitrations relating to the protection of aliens abroad. 15 Already at that time, due diligence was linked to a positive obligation of conduct, a 'best efforts' duty, requiring states to act with reasonable care in the circumstances, and holding them responsible for wilfully negligent omissions. Later on, the Island of Palmas arbitral award found that such obligation is a corollary of states' sovereign rights over their territory, requiring them to protect the rights of other states therein. 16 Since then, the concept has evolved alongside several primary rules of international law.
First, in the Corfu Channel case, the International Court of Justice (ICJ) held that 'it is every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States', 17 most -but not all -of which constitute internationally wrongful acts. 18  law', applies generally to all states, 19 and a failure to exercise the requisite degree of diligence gives rise to state responsibility. 20 Second, as a result of the growing concern over environmental harm and other hazards crossing national borders, due diligence also features in the general obligation not to cause significant transboundary harm to persons, property or the environment. 21 This obligation exists at least since 1941, when the Trail Smelter arbitral tribunal found that a state 'owes at all times a duty to protect other states against injurious acts by individuals from within their jurisdiction'. 22 Likewise, Article 3 of the International Law Commission's (ILC) 2001 Draft Articles on Prevention of Transboundary Harm from Hazardous Activities recognizes a duty of States to 'take all appropriate measures to prevent significant transboundary harm or at any event to minimize the risk thereof '. 23 This provision mirrors customary international law, 24 and is, according to the ILC, an 'obligation of due diligence', requiring states not to successfully prevent or halt significant transboundary harm, but 'to exert [their] best possible efforts to minimize [such] risk'. 25 The customary basis of this duty, known as the 'no-harm' or 'good neighbourliness' principle, has also been affirmed by the ICJ, 26 which noted its origins in the broader 'principle of prevention', alongside the Corfu Channel principle. 27 Similar duties to behave diligently exist under international human rights law (IHRL). These are positive obligations of states to protect and ensure individual human rights, whether online or offline, 28 to the extent possible. 29 Likewise, the duties to ensure respect for international humanitarian law (IHL) and to take precautions to protect civilians against the effects of attacks during armed conflict are also obligations to exercise due diligence. 30 And other more or less specific duties of reasonable care arise in respect of different harms, such as the duty to prevent genocide under Article I of the Genocide Convention, 31 the obligation to prevent marine pollution, 32 the duty to 19 Corfu Channel, Judgment, 9 April 1949, ICJ Reports (1949 ensure that mining activities in the deep seabed area do not cause damage to the environment and human life 33 and duties to cooperate in the investigation and prosecution of transnational crime. 34 This variety of primary rules recognizing a duty of reasonable care suggests that 'due diligence' itself is simply a standard of behaviour that is found in different 'protective' obligations and varies across different fields, duty-bearers and factual circumstances. 35 Thus, references made in the literature to 'due diligence obligations' or 'duties of due diligence' seem to be a shorthand for a series of obligations which have in common the imposition of a preventive or remedial duty, compliance with which is measured against a certain standard of diligent behaviour. 36 Thus, lack of due diligence gives rise to a breach of an international obligation, in the same way that negligence, or lack of reasonable care, entails a breach of a duty of care in many domestic legal systems. 37 As the International Law Association (ILA) found in its recent study on the topic: At its heart, due diligence is concerned with supplying a standard of care against which fault can be assessed. It is a standard of reasonableness, of reasonable care, that seeks to take account of the consequences of wrongful conduct and the extent to which such consequences could feasibly have been avoided by the State or international organisation that either commissioned the relevant act or which omitted to prevent its occurrence. 38 Those various duties primarily seem to involve a triangular relationship between (i) the duty-bearer, i.e. the state having an obligation to behave diligently in preventing, halting or redressing the harm or the risk thereof; (ii) the source of harm, i.e. the state, non-state entity or natural event causing the harm; and (iii) the beneficiary of the duty, i.e. the state or non-state entity suffering the consequences of the harm. 39 It is for this reason that we conceptualize and frame these duties as 'protective obligations', in that they require the duty-bearer to behave diligently in protecting the beneficiary against harm. Possible sources of harm include state agents, private individuals acting alone or in groups, as well as corporations. Beneficiaries, who may or may not hold a specific right vis-à-vis the duty-bearer, could be other states, individuals or private companies. 40 When the duty-bearer state is the very source of the harm affecting an individual or an object, and the relationship with the beneficiary is linear rather than triangular, whether or not the protective duty is one of due diligence depends on the primary obligation in question. The Corfu Channel principle seems to be limited to a duty to prevent third-party activities that cannot be attributed to the duty-bearer state. 41 In contrast, the no-harm principle, 42 duties to protect and ensure human rights 43 and obligations to take precautions under IHL 44 all seem to apply not only to cases where the duty-bearer state fails to prevent harm by third parties but also where the state itself causes the harm in question and thereby fails to prevent, stop or redress it.
Thus, protective obligations have been commonly associated with the idea that states must behave diligently with a view to preventing, stopping or redressing a variety of harms or risks to persons, property or territory, ranging from internationally wrongful acts to lawful activities or even accidents. Each primary obligation to exercise due diligence is triggered and limited by a variety of factors, including (i) the existence of a specific type of harm or risk; (ii) the crossing of a threshold of seriousness of this harm or risk; (iii) a nexus between the state and the harm or risk in question; (iv) some degree of knowledge of the harm or risk; and (v) a state's capacity to act in the circumstances. 45 However, as will become clearer in the following sections, each of those elements might differ across various protective duties.
We contend that these duties, found in different branches of conventional and customary international law, cover numerous aspects, uses and consequences of ICTs, as they do with other technologies. In what follows, we first establish the applicability of some of those duties to ICTs. We then delve deeper into the extent to which these duties require states to prevent, halt and redress online harms.

The Applicability of Existing Protective Obligations in Cyberspace
As a preliminary point, the applicability of existing protective obligations to cyberspace might be challenged on two principal legal bases. First, one may query whether 41  certain international obligations conceived for the 'offline' world equally apply to cyberspace, as a new 'domain' or technology. 46 Secondly, it could be argued that states have, in their practice and expressions of opinio juris, actively carved out cyberspace from the scope of application of said duties.
In addressing those possible objections, it is important to note that several states and international institutions have consistently affirmed the application of international law as a whole to cyberspace, including, in particular, rules and principles that flow from sovereignty. 47 And this is because rules of general international law apply, by default and across the board, to all areas and types of state activity. This is so to the extent that the activities in question fall within the scope of those rules and exceptions or more specific rules do not displace them. 48 For this reason, several states have stressed that rules of international law are technology-neutral, even if questions remain as to how they apply to new means of communication. 49 After all, as a means to a variety of ends, ICTs cannot be severed from the activities to which they serve and, consequently, from the rules governing them.
Two key rules deriving from the principle of sovereignty and applying generally in international law are precisely the Corfu Channel and the no-harm principles. Thus, the presumption we ought to proceed from is that they apply to ICTs, in the absence of leges speciales to the contrary. 50 In the same vein, the scope of application of IHRL and IHL is broad, only limited by their respective triggers and subject matter. 51 This means that, by default, positive duties established in both regimes apply to cyberspace, in the absence of specific carve-outs excluding ICTs from their scope of application. There is no evidence of such an exception, and admissible derogations from such obligations must be interpreted restrictively, due to their erga omnes character. 52 On the contrary, states have not only invoked general international law, IHRL and IHL but also supported the applicability of different protective obligations in cyberspace, even if in a somewhat fragmented way. For instance, as far back as 2011, the then United States (US) government recognized the application of positive IHRL duties online as well as a duty to prevent cybercrime. 53 Shortly thereafter, the Council of Europe issued a recommendation recognizing the applicability of the no-harm principle to malicious cyber activities. 54 The Explanatory Memorandum adds that this principle sets forth a standard of care or due diligence for the protection and promotion of integrity and universality of the Internet . . . . Under such a standard, states are required to take reasonable measures to prevent, manage and respond to significant transboundary disruptions to or interferences with the infrastructure or critical resources of the Internet In accordance with the principle of due diligence, States have the obligation to not knowingly allow their territory to be used to commit acts prohibited by international law against third States through the use of cyber means. This obligation also applies to activities conducted in cyberspace by non-state actors situated in the territory or under the jurisdiction of the State in question. 57 Similarly, Estonia has expressed the view that 'states have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states'. 58 Using different wording, Australia has pointed out that 'to the extent that a state enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other states'. 59  on developments in the field of information and telecommunications in the context of international security (February 2020), available at https://ccdcoe.org/uploads/2018/10/Statement-on-International-Law-by-Finnish-Ambassador-Janne-Taalas-at-2nd-session-of-OEWG.pdf (emphasis added).
It has also recognized that 'each State has to protect individuals within its territory and subject to its jurisdiction from interference with their rights by third parties'. 61 And, in what seems to combine different rules, The Netherlands have posited that: The principle is articulated by the International Court of Justice, for example, in its judgment in the Corfu Channel Case, in which it held that states have an obligation to act if they are aware or become aware that their territory is being used for acts contrary to the rights of another state. … It is generally accepted that the due diligence principle applies only if the state whose right or rights have been violated suffers sufficiently serious adverse consequences. 62 Similar statements have been made by the Czech Republic, 63 the Republic of Korea, 64 Japan, 65 Austria, 66 the Dominican Republic, 67 Chile, Ecuador, Guatemala, Guyana and Peru. 68 Taken together, they overshadow the contrary statements made so far by Argentina, Israel, New Zealand and the United Kingdom, which either reject or question the applicability of due diligence duties to ICTs. 69 Most importantly, they strongly support the view that existing protective obligations containing a due diligence standard are fully applicable to ICTs, even if their specific implementation requires additional guidance. That said, two important questions remain open: (i) whether an all-encompassing 'principle of due diligence' exists generally in international law; and (ii) whether a single protective obligation -with a corresponding due diligence standard -exists specifically for cyberspace. 70 In particular, some have suggested that rule 6 of the Tallinn Manual and similar cyber-articulations of the concept of due diligence are lex ferenda 71 or mere interpretations of how an existing, wide-ranging 'due diligence obligation' should apply to cyberspace. 72 They have pointed to several reasons of policy behind states' reluctance to commit to a new rule. For instance, states may fear that a fine-grained due diligence standard for cyberspace would be too burdensome to implement and could stifle its necessary flexibility. 73 Alternatively, such a new obligation may put in question the applicability and binding character of existing ones. 74 It is also possible that, by widening the scope of unlawful acts in cyberspace, a new protective 'cyber due diligence' obligation could increase resort to countermeasures and litigiousness among states. 75 Perhaps the choice of using 'due diligence' to label a range of duties is misleading: its simplicity masks the complexity and diversity of protective obligations requiring diligent behaviour to prevent, halt and redress certain harms. Part of the confusion also seems to arise from the framing of ICTs as a new space or 'domain', rather than a new set of information and communication tools. 76 Nevertheless, the important takeaway is this: the uncertainty surrounding a general principle or a cyber-specific version of due diligence does not mean that cyberspace is a 'duty-free zone'. For, however we label it, an existing patchwork of primary 'protective obligations' already requires states to behave diligently in preventing, halting and redressing different types of harmful cyber operations.

Four Sets of Protective Obligations in Cyberspace A The Corfu Channel Principle: A Duty to Prevent Cyber Acts Contrary to the Rights of Other States
The first protective obligation whose applicability in cyberspace has found support among states 77 and commentators 78 is the 'well-recognized' Corfu Channel principle, 72 See, e.g., Milanovic 79 This duty is a natural corollary of states' sovereign rights over their territory and, in essence, requires them to protect the rights of other states therein. 80 The obligation covers not only acts that directly violate the rights of third states, including their rights to territory and property, but also those of their nationals, even when abroad. 81 It comprises a duty to both prevent and stop the harmful acts in question 82 and arises as soon as a state knows or should have known 83 that such act originates from or transits through its territory. 84 Though in essence a preventive duty, the obligation is only breached when the harm materializes. 85 In a sense, this makes it an obligation without sanction for non-compliance, unless actual harm occurs. Often seen as a shortcoming, this norm structure may be explained by the need to encourage states to continuously prevent harm before their responsibility can be engaged.  It also notes that this ought to include not only breaches of international law attributable to States, but also conduct that would have been unlawful if committed by the 'host' state, no matter its source. 89 But while the Corfu Channel dictum recognizes state responsibility for lack of diligence in preventing or stopping acts of non-state actors regardless of attribution, 90 no reference is made to either acts merely affecting the rights of other states or fully fledged internationally wrongful acts, i.e. breaches of international law"attributable to a state. Instead, the language used in Corfu Channel is that of 'acts contrary to the rights of other states'. 91 In our view, this language does not fully mirror the two concepts featuring in Rule 6 of the Tallinn Manual 2.0 but perhaps sits in between them. Although most acts contrary to the rights of other states are internationally wrongful acts, the overlap is not complete. First, not all acts committed by non-state groups which are contrary to the rights of other states also constitute internationally wrongful acts or would have done so if committed by the territorial state. 92 The Tallinn Manual 2.0 also does not clarify whether, in speculating if the conduct would have been unlawful if committed by the host state, one must consid"r the concrete circumstances prevailing at the time or the obligations of the host state in abstracto. 93 A second difference may concern acts that are not unlawful given the existence of circumstances precluding wrongfulness but that would still entitle the 'victim' state to claim compensation for a material loss. 94 Thus, the framing of the type of harm covered by the Corfu Channel principle as 'internationally wrongful acts' is not entirely accurate. And neither is its qualification as 'acts that affect the rights of other states'. This is because not all acts merely affecting the rights of third states -such as certain instances of cyber espionage 95 -necessarily contravene their rights. Furthermore, acts covered by the Corfu Channel principle need not result in physical damage. 96 This is particularly important in cyberspace, where many harms have no direct material impact yet may hamper the operation of governmental or private functions, such as disruptions of financial or media services. 97 www.dfat.gov.au/sites/default/files/submission-by-australias-representative-to-the-gge-norm-implementation-may-2020.pdf; The Netherlands, Letter of 5 July 2019, supra note 62, Appendix, at 4; Okwori, supra note 50, at 219 96 Kolb, supra note 37, at 121; The Netherlands, Letter of 5 July 2019, supra note 62, at 5. 97 See Tallinn Manual 2.0, supra note 6, at 38. An example of cyber activities 'contrary to the rights of other States' may be found in the United Kingdom's recent condemnation of 'irresponsible activity being carried out by criminal groups' and 'cyberattacks by States and non-States actors' during the COVID-19 pandemic. 98 The acts in question consisted of 'malicious cyber campaigns targeting international healthcare and medical research organizations involved in the coronavirus response', which were clearly contrary to the rights of targeted states, regardless of any material harm caused.

Threshold of Harm?
Rule 6 of the Tallinn Manual is said to be engaged only if an internationally wrongful act has 'serious adverse consequences' for other states. 99 This threshold of harm is not found in pre-existing iterations of the Corfu Channel principle. Instead, it seems to have been borrowed from the no-harm principle, 100 which requires significant transboundary harm but not necessarily an act contrary to the rights of other states. Like much of the existing literature on due diligence, 101 the Manual seems to have merged the two principles into one single rule or principle requiring due diligence in cyberspace. 102 However, that is not to say that a failure to prevent or halt any cyber harm, regardless of its gravity, amounts to a breach of the Corfu Channel principle. States are not responsible for failing to avoid minor or negligible disruptions, such as the temporary defacement of non-essential government websites. But this is not because the principle contains a specific harm threshold. Rather, it is because those harms may not be contrary to the rights of other states. 103 For instance, in many circumstances, mere exfiltration or corruption of data -according to some -may not be contrary to the victim state's sovereign rights over its territory 104 or its right not to be subjected to foreign intervention. 105 Conversely, lack of due diligence in preventing or stopping malicious cyber operations that interfere with a state's inherently sovereign functions or domaine reservé, such as its ability to establish public health policies or to hold elections, might breach the Corfu Channel principle. And this includes acts occurring entirely within the duty-bearer's territory, as the Corfu Channel principle does not require the physical crossing of a territorial boundary. 106

Scope of Preventive Duties
Drawing on the duty to prevent genocide, the group of experts involved in Tallinn 2.0 rejected the view that states have a 'general duty of prevention', that is, a duty to prevent future malicious cyber operations. 107 For the Tallinn 2.0 experts, the Corfu Channel principle only applies to ongoing, or at most imminent, operations, at least as far as cyberspace is concerned. 108 This would limit the scope of the duty to an obligation to simply halt harmful cyber operations. 109 As a consequence, when discharging this duty, states would not be required to adopt strictly preventive, ex ante measures, such as continuous supervision or monitoring of their networks. 110 This view has been justified by the current lack of technical feasibility to prevent online harms, given their frequency and speed, as well as privacy concerns. 111 But this misses the point. Protective obligations, including the Corfu Channel principle, are inherently flexible. They depend on the capacity and position of each state to prevent or halt the harm in question, whether the cyber operation originates from or transits through its territory. 112 Thus, a state is not required to do the impossible, and different states may be required to adopt different measures in different circumstances. State practice in this respect reveals that a range of measures has been adopted to prevent harmful cyber operations. These have included cyber-threat monitoring 113 and the issuance of alerts and advisories to address software or hardware vulnerabilities. 114 Yet such flexibility is no excuse for inaction. A logical prerequisite to protective obligations of conduct is a separate obligation to put in place the minimum governmental infrastructure that is reasonable in the circumstances, enabling a state to exercise the necessary degree of diligence. 115 This is likely an obligation of result, i.e. a baseline governmental infrastructure must be established. 116 Indeed, if a state could simply claim that it has exercised its best efforts for this purpose, the main duty to prevent harm could be easily evaded. However, the content of such capacity-building obligationthe result required from each state -does not seem to be fixed, but dependent on the circumstances, in particular, available human and financial resources.
Thus, the Corfu Channel principle contains two distinct but interconnected limbs. 117 First, there is an obligation to set up a minimal state apparatus -a core 'capacity-building' duty. Recent state practice in the cyber context indicates that such duty would include the adoption and implementation of an adequate national legal framework tackling cybercrime and misuse of ICTs. 118 Secondly, there is an obligation of conduct to exercise due diligence to prevent and halt potential or actual cyber operations contrary to the rights of other states, to the extent of a state's capacity to act in the circumstances. Thus, a state's capacity to act not only triggers its obligation of conduct but also limits and modulates the measures it is required to adopt. However, as with other protective duties, required measures may change on the basis of new technological developments. 119 For instance, if a state has or acquires cyber monitoring technologies enabling it to anticipate and prevent certain malicious cyber operations, these must be used as far as possible. 120 While these technologies may raise concerns about privacy and other rights, it suffices to note that the implementation of 113

Knowledge Requirement
In any event, the obligation to act in accordance with the Corfu Channel principle is only activated when a state knows, or should have known, about a serious risk that an unlawful cyber operation will take place, no matter how remote such a risk is. 122 Thus, the decisive factor is how much information and certainty a state possesses about the harmful act in question, rather than how imminent or proximate it is. 123 The same applies to transit states, to the extent that they have actual or constructive knowledge of the risk of an unlawful cyber operation, as well as the capacity to prevent it. 124 At the same time, it does not appear that the Corfu Channel principle imposes on states a duty to actively seek knowledge of acts emanating from or transiting through their territory which would be contrary to the rights of other states. 125 What it does require is the minimum governmental infrastructure or capacity enabling states to acquire such knowledge. 126 Yet it has been suggested that the knowledge requirement may be proven by a (rebuttable) presumption when an unlawful cyber operation originates in non-commercial cyber infrastructure under a state's exclusive governmental control. 127 This could prevent states from easily evading their protective obligations by denying knowledge of a certain unlawful cyber operation.
In short, 'the more states can do, the more they must do', 128 and great responsibility follows inseparably from great power, 129 to the extent that such power permits. Therefore, complying with the Corfu Channel principle in cyberspace should not be an insurmountable feat: it simply requires states to build the minimum capacity that is reasonably expected of them, as well as to employ this capacity diligently in trying to protect the rights of other states, as far as possible. 130 In many circumstances, reporting and sharing information about cyber incidents will suffice. 131

B The Duty to Prevent and Redress Significant Transboundary Cyber Harm
Despite their similarities, particularly a common 'capacity-to-act' requirement, the no-harm and Corfu Channel principles should be distinguished, given their distinct elements and legal consequences. 132 There are at least four significant differences between the two primary obligations: i) the type of harm; ii) the threshold of harm; iii) the knowledge requirement; and iv) the legal consequences of a failure to comply with the duty.

Type of Harm
Unlike the Corfu Channel principle, the no-harm principle does not require the infliction of an act contrary to the rights of other states but covers any 'significant transboundary harm' or the risk thereof, even if caused by lawful activities or no state right is undermined. 133 In 'cyberspace' as in more traditional 'spaces', such as land, air and sea, the crossing of a border occurs when harm is caused or felt in the territory of -or in other places or infrastructures under the jurisdiction or control of -a state other than the state of origin. 134 This is so to the extent that ICTs remain grounded in physical spaces or structures and are used or controlled by human beings, even if certain online activities cause primarily non-physical effects. 135 While some have questioned whether this obligation applies outside of the environmental legal framework, there are strong reasons to suggest that it covers any type of transboundary harm, 136 including harm caused through ICTs. In particular, the Trail Smelter arbitral tribunal found that the obligation not to cause transboundary harm includes any 'injurious act' to the territory of another state, persons or property therein. 137 In doing so, it looked at precedents dealing not only with environmental hazards but also the use of weapons and the treatment of aliens. 138 Similarly, according to the ICJ, the no-harm principle is a manifestation of the general principle of prevention and therefore closely relates to the Corfu Channel rule. 139 Granted, this general finding was made in the context of a state's obligation 'to use all the means at its disposal in order to avoid activities which take place in its territory, or in any area under its jurisdiction, causing significant damage to the environment of another State'. 140 Yet, that the Court specifically highlighted the existence of this duty, 'now part of the corpus of international law relating to the environment', 141 as was relevant to that case, by no means exhausts or negates the general applicability of the no-harm principle beyond the environmental realm. In fact, the ILC has clarified that its Draft Articles on Prevention of Transboundary Harm apply to 'harm caused to persons, property or the environment', which includes 'detrimental effects on matters such as, for example, human health, industry, property, environment or agriculture'. 142 For those reasons, many commentators have persuasively expressed the view that the no-harm principle applies to a range of harms committed through ICTs, whether or not they are contrary to the rights of other states. 143 Admittedly, many harmful cyber operations will be contrary to at least one rule of international law and will likely be contrary to the rights of other states. In particular, if sovereignty is a standalone rule of international law, intrusions into governmental networks or systems by another state that cause physical or functional harm in another state's territory may breach such rule. 144 Likewise, coercive cyber interference with a state's exclusive governmental functions, such as its ballot-counting or national banking systems, would violate the principle of non-intervention. 145 And to the extent that those cyber incursions violate the rights of individuals, such as their right to free elections, privacy or property, they would likely violate international human rights law. 146 This should be true at least for negative human rights obligations, 147 for which a state's jurisdiction may be triggered by the exercise of control over the activity in question, 148 the digital communications infrastructure 149 or the enjoyment of the victim's human rights, 150 regardless of physical proximity between the perpetrator and the victim.
However, no rule of international law needs to be breached or contravened for the no-harm principle to apply. 151 This gives the principle a potentially wide scope of application which is particularly well-suited for cyberspace, where debates continue as to the nature of sovereignty, jurisdiction and prohibited intervention. 152 It may be the only applicable international rule requiring states to prevent, stop and redress certain low-intensity cyber operations. 153 Although the no-harm principle requires the crossing of an international boundary, 154 it is not limited to physical harms. 155 Often referred to as 'international cybertorts', 156 these transboundary operations may include substantial financial loss, functional and/or physical damage to private networks or systems, data corruption or loss, reputational injuries and political consequences. 157 2 Threshold of Harm probability of occurrence of an accident and the magnitude of its injurious impact'. 159 Thus, it covers activities carrying a 'low probability of causing disastrous harm', as well as operations where there is 'a high probability of causing significant harm'. 160 In cyberspace, this could potentially include physical, functional or non-physical harm to hardware, software, data or their individual users. Such harms may be caused by online mis-and disinformation campaigns, especially those taking place during elections 161 or public health crises, 162 as well as the exploitation of vulnerabilities in widely used IT supply chain products. 163 The determination of what amounts to significant harm involves a subjective assessment that varies depending on the circumstances prevailing at the time, in particular, existing scientific knowledge, the economic value of the activity or good in question and the extent of the damage caused. 164

Knowledge Requirement
Both the no-harm and the Corfu Channel principles are triggered by actual or constructive knowledge of a risk and exclude unforeseeable harms. 165 However, the noharm principle also applies where there is 'low probability' of 'disastrous harm'. 166 Thus, it may require more proactive measures of vigilance or monitoring, 167 variable on the basis of the seriousness of the harm. 168 Again, a requirement to be continuously vigilant in the use of ICTs 169 -or any other technology for that matter -depends on each state's capacity to act 170 and must be consistent with other international obligations. All in all, the more feasible it is for states to predict that a certain harmful cyber operation is forthcoming, the greater the degree of diligence required. Such flexibility, however, must always be assessed against a core component of the no-harm principle, i.e. a state's duty to 'keep abreast of technological changes and scientific developments', 171 which suggests a requirement to continuously engage in capacity building, to the extent feasible in the circumstances. 172

Legal Consequences
As seen earlier, the Corfu Channel principle is triggered once a state knows or should have known of the serious risk of an act contrary to the rights of other states emanating from or crossing its territory and is breached when the act in question occurs. It is at this point that the responsibility of the duty-bearer is engaged and other states can respond with countermeasures. Conversely, under the no-harm principle, the occurrence of harm or the risk thereof, which a state has failed to prevent or halt, does not automatically engage the responsibility of the duty-bearer. It is only after a state fails to compensate the victim for the damage caused that a breach of the no-harm principle arises. 173 In this way, the no-harm principle is simultaneously a primary and secondary rule of international law: it requires states to take action and foresees the very consequences arising from a failure to act. 174 Those consequences are, first, liability for the harm caused, and, secondly, responsibility for the eventual failure to redress it. 175 This norm structure is a logical consequence of the principle's emphasis on reparation: states are given an opportunity to redress the harm before their responsibility is engaged. It is not the harm itself or the failure to prevent it that are unlawful, 176 but the failure to redress it. The advantages of applying this regime to cyberspace include increasing the costs of harmful cyber operations and deterring them, avoiding the stigma and antagonism associated with unlawful acts and fostering victim redress. 177 In the ICT context, given the interconnectivity and interdependence of different networks, international cooperation, 178 vulnerability disclosure 179 and cyber incident recovery plans 180 have been highlighted as key measures of redress.

C The Obligation to Protect Human Rights Online
The increasing number of everyday activities which are carried out online has exposed human rights to infinite possibilities of harm. Just to mention probably the most egregious example, the right to privacy is seriously endangered by the constant tracking and mining of online activities and data, as well as their subsequent profiling. Likewise, the rights to freedom of thought, information and expression may be undermined by online disinformation campaigns, the proliferation of fake news or censorship. Cyber-bulling, defamation and hate speech can spread incredibly quickly, with detrimental effects on individuals' rights and reputation. 181 International human rights law (IHRL) imposes on states a set of protective obligations against these harms. They cover online activities to the extent that they take place under a state's jurisdiction. 182 In the cyber realm as in any other area of human activity, states not only have a 'negative' duty to respect human rights online -i.e. not to violate those rights with their own actions. They also have a positive duty to adopt all reasonable measures to protect the human rights of persons under their jurisdiction against threats posed by other entities, be them foreign governments, companies, criminals or other actors. 183 In addition, states must ensure the effective enjoyment of human rights on the Internet. 184 Positive obligations to protect and ensure may be potentially identified for all human rights. 185 With specific reference to the rights which are more commonly endangered online, one may highlight the rights to privacy, 186 honour and reputation, 187 and freedom of information and expression. 188 Due diligence, in this context, designates the standard of conduct that states must meet to comply with the said positive obligations. 189 Notably, positive human rights duties are owed not only to states but also individuals and the international community as a whole. They require states to prevent threats to the enjoyment of human rights, halt harms once they have initiated and remedy their effects, to the extent possible. 190 Attribution of the harmful conduct is unnecessary: all that must be demonstrated is that the state failed to adopt the necessary and reasonable protective measures, irrespective of who or what caused the harm. 191 Such measures may vary greatly depending on the human right in question, the type of threat and/or harm which the state is trying to prevent and the circumstances prevailing at the time. Treaty bodies have adopted relatively open-ended formulas when it comes to compliance. For instance, states have been urged to establish an adequate legal framework 192 providing for the availability of civil remedies and criminal provisions enabling effective investigations and prosecutions of rights violations. 193 Such laws should cover, inter alia, the prohibition of online speech constituting incitement to hatred, discrimination or violence based on certain characteristics, content moderation mechanisms, educational campaigns, the prohibition of Internet shutdowns and arbitrary content takedowns, 194 as well as corporate responsibility, publicprivate partnerships and export control of IT products. 195 States' positive human rights obligations containing a due diligence standard must not be confused with the related concept of corporate 'human rights due diligence', i.e. the non-binding responsibility of businesses to mitigate the human rights impact of their activities. 196 That said, states themselves have a positive obligation to establish a legal framework that requires businesses to, in turn, exercise their own due diligence. 197 This is all the more important in the cyber context, since the Internet and other ICTs are mostly owned, controlled or designed by private entities. 198 While states' protective duties under IHRL are also subject to a requirement of capacity to act, common to other due diligence obligations, 199 they may be 'substantively … more demanding' than those deriving from general international law, often including duties to actively seek knowledge of violations. 200 Other distinctive features include jurisdictional triggers (Section 4.C.1); the type of harms covered (Section 4.C.2); the knowledge requirement (Section 4.C.3); as well as the legal consequences of a failure to protect applicable human rights (Section 4.C.4).

State Jurisdiction
Under some IHRL treaties, before states' positive obligations in respect of online or offline harms can be triggered, jurisdiction must be established. 201 In IHRL, the concept of jurisdiction includes not only the territory of the duty-bearer but also effective control over certain physical spaces, persons or events located extraterritorially. Considering the multi-layered and transnational nature of cyberspace, comprising physical infrastructure, logical systems, data and human activity across multiple boundaries, 202 extraterritorial models of jurisdiction are particularly relevant in the context of states' protective obligations under IHRL.
First, there is broad agreement that extraterritorial jurisdiction 'follows' individuals wherever a state exercises some form of physical control or authority over them. 203 This is what is known as the 'personal' model of extraterritorial jurisdiction and most human rights bodies 204 and commentators 205 agree that it applies to both negative and positive human rights obligations. Secondly, although not without contestation, 206 several human rights bodies have expressed the vew that jurisdiction may also be extended extraterritorially to the reasonably foreseeable human rights impact of the activities of entities, such as companies, which are incorporated or located in the duty-bearer's territory, or otherwise subject to a state's effective control. 207 Thirdly, the Human Rights Committee has advanced a more expansive, 'functional' approach to extraterritorial jurisdiction, grounded in the exercise of control over the enjoyment of the rights in question, regardless of any physical control over territory, the perpetrators or the individual victim. 208 Arguably, the functional approach to jurisdiction is best suited to address contemporary forms of effective control gained remotely through ICTs over victims, perpetrators and events. 209 Thus, its appeal resides in the increased protection of human rights, whose exercise increasingly depends on online systems. But while the functional model has received some support in respect of negative human rights duties, 210 many oppose its applicability to positive human rights obligations, fearing the lack of necessary government powers beyond a state's territory or spatial control. 211 Nevertheless, the practical impact of this jurisdictional model should not be overstated: any protective obligation only extends insofar as the duty-bearer has the capacity to adopt the necessary measures in question. 212 Capacity, in this context, includes the ability to influence the behaviour of the perpetrators, 213 or to predict events, the availability of resources and the duty to respect and protect other human rights. 214 Of course, there is a difference between a state having no jurisdiction at all and it being incapable of protecting human rights within its jurisdiction: in the latter case, the state's capacity to act, along with other elements of the obligation, must still be assessed. Yet, states are not required to do the impossible or to discharge a 'disproportionate burden' 215 but are expected to adopt measures that are reasonable in the circumstances. 216 Thus, as in any other jurisdictional model, the requirement of capacity to act overlaps with and modulates a state's functional jurisdiction over human rights online. 217

Type of Harm
Protective obligations under IHRL cover a wide spectrum of harms, including any conduct by public or private entities that impairs the enjoyment of human rights online or offline, such as privacy and freedom of expression. Unlike the no-harm principle, the online harm in question need not have a transboundary nature: provided jurisdiction is established, a state must protect human rights regardless of the harm's origin or trajectory.

Knowledge Requirement
Given the multitude of threats to human rights, it would be unrealistic and unreasonable to expect a state to be in a position to adopt protective measures against any such threats. Rather, states are only capable and thus required to act in the presence of some level of knowledge that there is a risk to human rights. With respect to the right to life, the Human Rights Committee and the Inter-American Court of Human Rights have stressed the requirement of reasonable foreseeability of threats 218 and constructive knowledge of an immediate and certain risk, 219 respectively. Whilst these pronouncements were concerned with the protection of the right to life, there is no particular reason not to extend them to positive obligations to protect other human rights, including in cyberspace. This means that, under IHRL, states must also exercise due diligence in actively seeking and evaluating available information about threats to human rights under their jurisdiction. 220 EJIL 32 (2021), 771-805 Articles

Legal Consequences of a Failure to Protect Human Rights
Unlike the Corfu Channel and the no-harm principles, positive obligations to protect and ensure human rights are breached by the mere lack of diligence, i.e. the wrongful omission or inaction in adopting the required measures. 221 This is true to the extent that states must prevent objectively foreseeable threats to human rights. 222 As such, the mere emergence of a risk of harm, regardless of whether or not it materializes, may breach positive human rights obligations. 223 Although the actual occurrence of the prohibited harm is generally indicative that the state has failed to exercise due diligence, proof of causation between the lack of diligence and the harm is unnecessary. According to the ECtHR, a state's knowledge of, acquiescence in or connivance to human rights violations perpetrated by third parties suffices to demonstrate a breach of that state's positive duties to protect those rights. 224 Importantly, a breach of positive human rights obligations arises not only from complete inaction but also from the adoption of insufficient or ineffective measures, when more appropriate ones were available. 225 Conversely, the occurrence of the prohibited harm does not necessarily mean that the state violated its due diligence obligations under IHRL. A violation only arises if it is proven that the state failed to adopt protective measures that it could have reasonably implemented. 226 intentionally or indiscriminately 227 disable civilian infrastructure and disrupt the provision of services essential to the civilian population. Many states 228 and most commentators agree that, at the very least, cyber operations having kinetic effects similar to those of traditional uses of armed force -for example, the destruction of civilian objects or harm to civilians -are covered by the provisions of IHL when carried out during an armed conflict. 229 But it remains unclear whether, in the absence of physical damage, the mere corruption of data or functional system disruptions amount to attacks governed by IHL. 230 Numerous rules of IHL establish protective obligations requiring states to exercise due diligence. 231 Of particular relevance to ICTs are the obligations to ensure respect for IHL, including by third parties (Section 4.D.1), and adopt defensive precautions to avoid or minimize harm to civilian objects and the civilian population (Section 4.D.2).

The General Duty to Ensure Respect for International Humanitarian Law in Cyberspace
A protective obligation is codified in Article 1 common to the 1949 Geneva Conventions on the Protection of Victims of War, which requires states to respect and ensure respect for the provisions of the conventions 232 -a provision repeated almost verbatim in Article 1(1) of Additional Protocol I. 233 The customary status of this rule was recognized by the ICJ, as well as its application to both international and noninternational armed conflict. 234 Given the erga omnes nature of IHL, not only parties to an armed conflict but all states are bound to do 'everything in their power to ensure that the humanitarian principles underlying the Conventions are applied universally'. 235 According to Rule 144 of the International Committee of the Red Cross's (ICRC) Customary IHL Study, 236 this obligation requires States not only to refrain from committing or encouraging violations of IHL 237 but also to take positive steps to ensure -even in peacetime 238 -that other entities comply with IHL. 239 This obligation also applies in cyberspace and entails a duty to act, as far as possible, to prevent and halt cyber operations constituting violations of IHL. Its broad scope of application covers potential violations by state agents, as well as private entities over which a state exercises authority, such as populations under belligerent occupation, 240 or exerts a reasonable degree of influence, including other states and non-state groups located in different parts of the world. 241 As with other protective obligations, the duty to respect and ensure respect for IHL is triggered and limited by a state's capacity to act. 242 This, in turn, depends on a range of factors, such as available resources, the gravity of the violation and the degree of control or influence that the state exercises over the direct perpetrators. 243 Yet lack of military, economic or other resources does not exempt states from what remains a binding legal obligation to acquire and employ all reasonable means to ensure respect for IHL, including in cyberspace. 244 The duty is triggered not only by a state's knowledge of violations but also by objective foreseeability. 245 However, though it arises from the moment IHL violations become known or foreseeable, a breach only occurs if the actual harm materializes, like the Corfu Channel and no-harm principles. 246 States may comply with this rule by simply adopting measures well-known in the law of state responsibility, such as invoking a breach of IHL by a third state through adjudicative or diplomatic means, 247 demanding its cessation, guarantees of nonrepetition or reparations, 248 refraining from recognizing the situation as lawful and rendering assistance to the state in breach, 249 as well as taking effective steps to investigate and redress the violations. 250

The Duty to Adopt Protective Precautions against the Effects of Cyber Warfare
The principle of precaution enshrined in several IHL provisions also embodies a set of protective duties. Article 51 of Additional Protocol I generally provides that '[t]he civilian population and individual civilians shall enjoy general protection against dangers arising from military operations'. 251 It is immediately evident how cyber warfare may pose a challenge to the application of such rule. To begin with, civilian cyber-infrastructures may not be easily distinguishable from lawful military objectives, as these often depend on services and resources provided by private entities. 252 The interconnectivity of cyberspace may also mean that cyberattacks directed against military objectives may spill over into civilian systems, causing disruption or loss of functionality. 253 To obviate such undesirable results, Article 58 of Additional Protocol I requires parties to a conflict to adopt precautionary measures to protect civilian populations and objects against the effects of attacks, provided they exercise control over the territory, physical infrastructure or, in our view, the operational systems which may be targeted. 254 The rule has achieved customary status, as recognized by Rules 22-24 of the ICRC's Study on Customary IHL, and is applicable not only in international armed conflict but also, arguably, in non-international ones. 255 act contrary to the rights of other states, significant transboundary harm or a violation of more specific international rules, such as IHRL and IHL.
These common threads raise the following question, foreshadowed at the beginning of this paper: is there a general principle of due diligence in international law? Perhaps. This is what the ICJ seemed to imply when, in Pulp Mills, it stated that 'the principle of prevention is a customary rule, and as such it has its origins in the [standard of] due diligence that is required of a State in its territory'. 263 In the same vein, citing the Alabama Claims arbitration, the Trail Smelter arbitral tribunal held that both arbitrations were decided on the basis of the 'same general principle' according to which '[a] State owes at all times a duty to protect other States against injurious acts by individuals from within its jurisdiction'. 264 The ILA 265 and some states have also supported this position, particularly in the context of cyberspace. 266 But whether or not this holds true, it should not detract from the fact that a comprehensive legal framework of binding protective obligations to prevent, halt and redress harm already applies in cyberspace, however patchy or fragmented it is.
Such framework comprises at least two different primary rules of general international law, namely the Corfu Channel and the no-harm principles. In addition, different obligations of due diligence arising under specialized branches of international law apply concurrently to cover different uses, aspects and consequences of ICTs. Among them, we have highlighted the positive obligation to protect human rights online, as well as the duty to ensure respect for IHL and to adopt precautions against the effects of cyberattacks in armed conflict.
While the said rules overlap and could be interpreted systematically, insofar as they work towards similar goals, they remain separate and should not be conflated. Each has different triggers, requirements and standards of care. It may well be that, from their similarities, one can derive a general principle of international law. Furthermore, states maintain the prerogative to develop -through conventional or customary international law -a new specialized duty containing a 'cyber due diligence' standard. This duty may well be modelled on any of the existing protective obligations or a mix thereof, mirroring Rule 6 of the Tallinn Manual. Yet, in debates about diligent state behaviour in cyberspace, doubts about a general principle or a cyber-specific protective obligation should not be presented as an alternative to a legal vacuum. For international law already provides more than meets the eye: a patchwork of protective duties that, together, require states to do their best to prevent, halt and respond to a wide range of online harms.