“Even as it is criminal actors who are taking these actions against the United States or entities — private-sector entities in the United States, even as — even without the engagement of the Russian government, they still have a responsibility”[1]
Introduction
« Responsible countries need to take action against criminals who conduct ransomware activities on their territory”[2]. Did Joe Biden’s words during his meeting with President Putin on the banks of Lake Geneva spell the end of an era? For how long will States still be able to harbor cybercriminal groups with impunity?
While ransomware wreaks havoc across the world and paralyzes critical infrastructure, as further evidenced by the recent Colonial Pipeline[3] attack or the alarming growth of cyber-malicious acts aimed at the healthcare sector during the COVID-19 crisis[4], the issue of States’ compliance with due diligence in regard to criminal activity carried out from their territory as well as that of their responsibility in cases of negligence can no longer be postponed.
Whether out of interest, cowardice, carelessness or even ignorance, some States have proven to be a safe haven for criminal groups who develop ransomware and other malicious cyber tools in order to launch their own attacks or to monetize these tools at an incredibly high price in a particularly lucrative and unscrupulous market. Whether economic, political, or strategic, the aims of these attacks are numerous and sometimes overlapping, with some States not hesitating to use these private players as actual “proxies”.
In cyberspace, where one crisis follows another, and where the fight against ransomware and cybercrime has become a priority in terms of national and international security, the principle of due diligence is destined to play an essential role by reminding States of their duty not only to prevent such activities but also to crack down on them.
Due diligence in regard to criminal activity and State sovereignty in cyberspace
Just like tax havens, new havens known as “cyber-havens” have grown in the protective shadow of sovereign States. Yet sovereignty should not rhyme with impunity. While sovereignty is indeed a protective principle that confers on States “the exclusive right to exercise State activities” on their own territory, it also has “a subsequent duty: the obligation to protect, within the territory, the rights of other States, in particular their right to integrity and inviolability in time of peace and in time of war”[5].
This duty of States to ensure their territory is not used to cause harm to other States has been affirmed many times over by international judges. Its most famous expression is undoubtedly the dictum of the International Court of Justice in the Corfu Channel Case, which states “the obligation, of any State, to not allow its territory to be used for the purposes of acts contrary to the rights of other states”[6]
By virtue of their sovereignty, States must therefore show due diligence in regard to activities taking place on their territory or under their control, and, in the event of a breach of duty, may, in some cases, be considered liable for any damage caused to other States.
The duty to prevent the use of one’s territory for the purposes of acts contrary to the rights of other States is thus incumbent upon States, no matter the identity of the perpetrator or the nature of the acts involved, whether they are high or low tech, physical or digital. In its 2015 report, the United Nations Group of Governmental Experts on Cybersecurity, without specifically mentioning the principle of due diligence, made several mentions of this duty. In particular the group maintained that States “should ensure that non-state actors do not use their territory to commit” (…) “internationally wrongful acts using information technology” and that they “should not knowingly allow their territory to be used to commit internationally wrongful acts using information and communication technologies”[7]. These implicit references to the principle of due diligence were reiterated practically word for word by the GGE in its most recent report adopted in May of this year[8]. Furthermore, many States, including France[9], but also the European Union, have clearly and explicitly stated the importance of this principle in cyberspace.
Although some states, in particular Israel[10] and the United Kingdom[11], and to a lesser extent the United States, dispute the legally binding nature of the due diligence principle in cyberspace, it seems more and more States are in favor of its mandatory essence. Moreover, this makes sense from a legal standpoint, as several indications make it out to be a general principle in international law, applicable well beyond the scope of environmental law[12].
The issue is therefore not whether or not States have a duty to not knowingly let their digital infrastructure be used to develop ransomware or commit cybercrime against other States, as it is obvious this duty exists. The question is rather to what extent and how this duty can be expected from States in the fight against cybercrime.
Knowledge, Capacity, Risk, Damage: the four cardinal points of due diligence in the fight against cybercrime
Due diligence is a behavioral duty and not a duty to produce results. It requires that States be reasonably vigilant in regard to cybercrime within their territory.
Assessing the reasonableness of this vigilance will therefore depend on the circumstances of each individual case and on a series of factors which can be called “variability factors”. To determine whether a State is reasonably vigilant with regard to cybercrime on its territory, it is therefore necessary to assess on a case-by-case basis each of these variability factors and in particular the four main ones: knowledge, capacity, risk and damage.
*Awareness. Awareness is a key element, without which there can be no due diligence. In the digital space, this awareness can raise certain questions and be a cause for concern. Indeed, the speed and stealth with which these actions are carried out there, but also their essentially private nature, make awareness difficult, especially when these actions are only passing through the State’s digital infrastructure.
It should nonetheless be emphasized that a State exercising territorial sovereignty does not mean that State must necessarily be aware of everything going on within its territory. The knowledge by a State of cybercriminal groups located on its territory or launching cyberattacks against another State from its infrastructure cannot therefore be presumed. But conversely, it goes without saying that sovereign States cannot, reasonably, ignore everything going on within their territory.
A particularly critical issue in the digital space is therefore determining to what extent a sovereign State ‘knows’, ‘must know’, ‘should know’, ‘should have known’ or ‘should seek to know’, in particular through the monitoring of actions carried out on its territory.
Awareness and monitoring. The close relationship between awareness and surveillance has been widely discussed by international judges, particularly in the area of human rights. What transpires is that although States must exercise control over actions carried out on their territory, particularly in the fight against cybercriminal groups, this does not mean that they are authorized to use such a pretext to develop mass surveillance and erode essential freedoms, such as the right to privacy and confidentiality.
Awareness and notification. A second important question raised by awareness in the fight against cybercrime is knowing when a state is deemed to know, especially when this “knowledge” is the result of being notified by another state. The United States has widely emphasized this fact, with President Biden saying of Vladimir Putin: “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is”[13].
In the fight against cybercrime, notification can indeed constitute an interesting means of informing a State of actions carried out on or passing through its territory. The notification process can, however, raise certain questions and difficulties. For example, must those who notify, most often the victim States, provide certain elements in order for this notification to be accredited? Can one also consider, like President Biden, that a state “cannot not know” when it has been informed by a third state? In its most recent report, adopted in May 2021, the United Nations Group of Experts on Cybersecurity showed more leniency. After emphasizing that a State affected by malicious cyberactivity should inform the State from which the activity originates and that the notified State should acknowledge receipt of this notification (and make all reasonable efforts to help establish if an internationally wrongful act has been committed), the report nevertheless considers that acknowledging receipt of this notification does not mean the State agrees with the information it contains[14].
*Capacity. States do not all have the same capacities in preventing the use of their digital infrastructure by cybercriminals. Differences in capacities between States are indeed particularly blatant in the digital space. This situation may be a cause for concern, with some States fearing that due diligence may prove too burdensome or expose them too quickly to the reactions of wronged States. This concern, although legitimate, cannot however be overestimated. Indeed, capacity constitutes a widely admitted criterion in the interpretation and implementation of due diligence. Several factors may be used to assess a State’s capacity, for instance its level of economic growth, or its access to the required knowledge and technical capacities.
Common yet differentiated capacity and responsibility. However, could we go further and borrow the principle of “common but differentiated responsibility” from environmental law to refer to this variability factor regarding States’ capacities in the digital space? Duty would be differentiated insofar as States have different capacities, but also common because, as noted in particular by the United Nations Group of Experts on Cybersecurity, “the differences in capacities from one State to another in IT security can exacerbate the vulnerability of an interconnected world”[15].
While the analogy with the notion of “common but differentiated responsibility” is undoubtedly interesting in the fight against cybercrime, it should nevertheless be recalled that, whatever the inequalities in capacity, States are sovereign in cyberspace, and the monitoring of infrastructure and actions carried out therein is “a natural attribute of any government”[16]. Moreover, we could add that another essential attribute of any government, whatever its capacities, is its legislative function: any sovereign state can, at a minimum, adopt legislation to punish cybercrime.
*Risk. It is generally accepted that the degree of diligence should be commensurate with the degree of risk of cross-border harm. According to precedents that now seem well established, “the level of diligence required must be more rigorous for high-risk activities”[17]. Considering the spectacular growth of malicious acts in the digital space, in particular ransomware targeting critical infrastructure, it appears that digital activities constitute high-risk activities that require States to be more vigilant.
*Damage. Due diligence does not necessarily cover all risk of damage. The damage must indeed reach a certain threshold of seriousness. Moreover, the combination of risk and damage is what makes it possible to assess the degree of attentiveness States must bring to a given action. Neither the threshold nor the degree of seriousness of the damage, however, received particular attention in the reports of the United Nations Group of Experts on Cybersecurity, which referred in a rather vague manner to « the possibility of damage”[18] to the property, economy and nationals of States. On the other hand, special attention is now paid to “critical infrastructure” and other so-called essential or vital infrastructure whose destruction or incapacity substantially weakens the defense or national security of a State. During their meeting on the banks of Lake Geneva, President Biden drew a real line by giving Vladimir Putin a list of 16 critical US infrastructure sectors whose attack could lead to a response. While the United States did not go into more detail concerning the type of response, the American statement sounds like a serious warning: “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own”[19].
Prevention, Prosecution, Notification, Cooperation: due diligence and obligations to act in the fight against cybercrime
Due diligence requires States that are aware of cybercrime on their territory to take reasonable measures to put an end to this activity. There have been many calls for due diligence in recent months, particularly in connection with ransomware attacks. Thus, for example, in the midst of the COVID-19 crisis and the attacks carried out on medical and hospital infrastructures, Denmark, Finland, Iceland, Norway and Sweden adopted a joint declaration in which they call on States to exercise due diligence and take appropriate measures against malicious cyber acts carried out from their territory[20]. This declaration echoes the one made by High Representative Josep Borell in the name of the European Union with regard to malicious cyber acts taking advantage of the coronavirus pandemic, in which the European Union and member states “call upon each country to exercise due diligence and take the appropriate measures against players engaging in such activity”[21].
While due diligence undoubtedly includes a duty to act in order to put an end to activities infringing on the rights of States, there remain some important questions: does due diligence involve a duty to inform or even cooperate? Does it entail a duty to prevent and prosecute?
In regard to the existence of a duty to prevent or even prosecute, it should be noted that the Tallinn Manual 2.0[22] categorically rejects the idea according to which due diligence involves a preventive or repressive aspect. Such a position is surprising considering there exists no “structural” or theoretical obstacle to such an aspect of due diligence and, moreover, international case law is rife with examples in which the duty to prevent (and prosecute) has clearly and expressly been stated in regard to required due diligence. In light of these two elements, it is hard to see how and why the principle of due diligence should, in cyberspace and particularly in matters of cybercrime, be separated from these two aspects. We could even consider that the first measure States can take in the fight against cybercrime, whatever their capacity, is to prevent and crack down on these acts by legislating to prohibit them and by arming themselves with the necessary legislative arsenal to prosecute and sanction their perpetrators. As Canada recently pointed out during the first official Security Council meeting dedicated to peace and security in cyberspace: “Criminal actors who engage in ransomware and other criminal activities live in and work from States. They use States’ digital infrastructure to undertake their malicious activity. They are subject to those States’ laws. When informed of potential malicious activity emanating from their territory, States have a responsibility to respond, enforcing their laws (…)”[23].
In regard to notification and cooperation, some caution is in order. To state that a duty to inform is incumbent upon States that become aware of cybercrime taking place on their territory, vis-à-vis potentially wronged States, would entail a duty to produce results. However, due diligence is, by definition, a behavioral duty, a code of conduct. States therefore have a choice of means in trying to put an end to the known risk to the other State’s security and, while notification or even cooperation with the other State are undoubtedly privileged means, they are not the only ones. If the State adopts other measures to prevent and / or put an end to cybercrime, then notification may not be necessary. That being said, it appears that, in some situations, notification might be the only way to prevent the damage from occurring or to mitigate its consequences. Given the nature of the digital space and the potentially devastating nature of cyberattacks, States may need to make extensive use of notification. Otherwise it could be inferred that they have not taken the “reasonable” measures available to them to prevent / put an end to the cyberattack.
Some States, such as Canada and the United States, seem to consider that States also have a duty to cooperate in the fight against cybercrime. Thus, according to Canada, “when informed of potential malicious activity emanating from their territory, States have a responsibility to respond, enforcing their laws and cooperating with other States”[24]. While cooperation between States seems especially desirable in some contexts, whether it follows directly from the due diligence principle is uncertain. Moreover, given certain issues in cooperation inherent to cyberspace (in particular regarding the refusal to disclose a State’s technological expertise in cybersecurity to third parties) or the sometimes extremely complicated relations between States, cooperation could prove to be much more difficult than a notification that is accessible to all.
Violation of due diligence and State responsibility: an appropriate way around the issue of assigning guilt
Breach of due diligence by a State in regard to cybercrime could constitute an unlawful international act falling under the State’s responsibility. In this regard, it is interesting to note that, while laying blame constitutes one of the most delicate issues in compelling State responsibility in cyberspace, this designation issue is partly circumvented when compelling responsibility is based on due diligence.
Indeed, common practice in matters of cybercrime and ransomware shows it is sometimes difficult to consider a cyberattack launched from a State an “unlawful international act”; either because it is very difficult, for technical, legal or political reasons to attribute the cyberattack to said State, or because it is difficult to precisely determine the rule that was violated, or for both reasons at the same time.
Implementing the due diligence standard in the digital space makes it possible to get around most of these issues but, of course, does not resolve them all. Establishing that a state has violated due diligence does not in fact necessarily imply blaming the cyberattack on that state using the usual mechanisms of attribution. It is in fact relatively immaterial whether the act in question was committed by a State organ, an agent acting ultra vires or outside his functions, a ‘proxy’, an intermediary, a group of ‘patriotic hackers’, terrorists, the mafia, cybercriminals or even a company keen on gaining a competitive advantage. The only thing that matters with regard to the principle of due diligence is to know if the elements constituting its violation are present, no matter who the author of the attack is: did the State know or should it have known that its infrastructure was being used to launch a cyberattack causing serious damage to another State? Did the State forego its duty to take the reasonable measures available to prevent the damage? If the answer is yes, the State could be held responsible regardless of the perpetrator. As Japan recently emphasized: “we recognize the difficulty of attributing cyber operations to a State. The due diligence obligation may provide grounds for invoking the responsibility of the State from the territory of which a cyber operation not attributable to any State originated.”[25].
Of course, this does not mean that the many technical difficulties pertaining to the source and modus operandi of cyberattacks miraculously disappear. To demonstrate the existence of a breach in due diligence, technical evidence is necessary, in particular that allowing to demonstrate that the cyberattack did indeed emanate from the territory of the State in question (or passed through it) and that the latter had (or should have been) aware of this situation, had reasonable means to put an end to it (or at least mitigate the consequences) and did nothing about it. These technical and legal issues, combined with other difficulties intrinsic to the very nature of due diligence, could make proving such a breach in due diligence in cyberspace particularly difficult.
Conclusion
The principle of due diligence maintains the primary responsibility of States in regard to actions carried out on their territory, both by public bodies and by private-sector players. It sets a reasonable behavior standard for States in preventing and cracking down on cybercrime within their territory, while making it possible to get around the delicate issue of assigning guilt. While this principle is of course not the only legal tool Sates should use to fight the scourge of ransomware attacks, it contributes to fostering responsible behavior among States and, as such, is a precious tool in the fight against cybercrime.
[1] Press Briefing by Press Secretary Jen Psaki, July 6, 2021. https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/07/06/press-briefing-by-press-secretary-jen-psaki-july-6-2021/
[2] Remarks by President Biden in Press Conference, Hôtel du Parc des Eaux-Vives, Geneva, Switzerland, June 16, 2021, https ://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/
[3] On May 7, 2021, Colonial Pipeline (an American pipeline system transporting oil from Houston, Texas, primarily to the southeastern United States) suffered a ransomware cyberattack. As a result, Colonial Pipeline halted all operations until May 13, 2021, which caused a shortage on the East Coast of the United States. This cyberattack was the largest ever against US oil infrastructure. Company management stated it paid hackers $4.4 million to be able to resume operations. https://www.lemonde.fr/pixels/article/2021/05/10/comment-un-rancongiciel-a-seme-la-panique-dans-un-grand-reseau-d-oleoducs-aux-etats-unis_6079752_4408996.html
[4] Since the start of the pandemic, health organizations have been a major target of ransomware attacks. In France, the hospitals of Dax, Villefranche-sur-Saône, Oloron Sainte-Marie and Saint Gaudens have thus been targeted. https://www.usine-digitale.fr/article/l-hopital-de-saint-gaudens-touche-par-un-ransomware-les-tests-covid-19-interrompus.N1081059
[5] Island of Palmas Case, United States v. The Netherlands, Arbitration decision dated April 4, 1928, page 8.
[6] Corfu Channel Case, April 4, 1949 judgment, ICJ Reports, 1949, page 22.
[7] Group of Governmental Experts in charge of studying advances in IT and telecommunications in the context of international security, 2015 report, Note from the Secretary-General, A/70/174, July 22, 2015. https://undocs.org/fr/A/70/174
[8] Report of the Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security, Letter of transmittal, Advance Copy, May 28, 2021. https://front.un-arm.org/wp-content/uploads/2021/06/final-report-2019-2021-gge-1-advance-copy.pdf
[9] Ministry of the Armed Forces, International Law Applied to Operations in Cyberspace, September, 2019.
[10] See in this regard the position expressed by Israel in Roy Schöndorf’s (Israeli Attorney General-International law), ‘Israel’s perspective on Key legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, EJIL: Talk!, December 9, 2020, https://www.ejiltalk.org/israels-perspective-on-key-legal-and-practical-issues-concerning-the-application-of-international-law-to-cyber-operations/
[11] See the position expressed recently by the United Kingdom in: United Kingdom of Great Britain and Northern Ireland, Application of International Law to States’ Conduct in Cyberspace United Kingdom Statement, United Nations Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in The Context Of International Security, June 3, 2021, https://www.gov.uk/government/publications/application-of-international-law-to-states-conduct-in-cyberspace-uk-statement
[12] In this regard, see our analysis in Karine Bannelier’s “Due diligence in cyberspace: Who is afraid of cyber-diligence?”, Belgian Review of International Law, 2017, pp. 612-665.
[13] BBC News, Biden vows US action over Russian cyber-attacks, July 10, 2021. https://www.bbc.com/news/world-us-canada-57786302
[14] Report of the Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security, Letter of transmittal, Advance Copy, May 28, 2021, p. 7 (An affected State should notify the State from which the activity is emanating. The notified State should acknowledge receipt of the notification to facilitate cooperation and clarification and make every reasonable effort to assist in establishing whether an internationally wrongful act has been committed. Acknowledging the receipt of this notice does not indicate concurrence with the information contained therein). https://front.un-arm.org/wp-content/uploads/2021/06/final-report-2019-2021-gge-1-advance-copy.pdf
[15] Group of Governmental Experts in charge of studying advances in IT and telecommunications in the context of international security, 2015 report, Note from the Secretary-General, A/70/174, July 22, 2015. https://undocs.org/fr/A/70/174
[16] ILC, “Draft Articles on Prevention of Transboundary Harm from Hazardous Activities and Related Comments”, op. cit., art. 3, comments §17, p. 426.
[17] In 2011, in its advisory opinion on the Responsibilities and Duties of States in the context of activities carried out in the Area, the Tribunal for the Law of the Sea considered that “this notion may also change depending on the risks incurred by the activity” and that “The level of diligence required must be more rigorous for high-risk activities”.
[18] GGE, 2015 report, Note from the Secretary-General, A/70/174, July 22, 2015.
[19] Press Briefing by Press Secretary Jen Psaki, July 6, 2021. https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/07/06/press-briefing-by-press-secretary-jen-psaki-july-6-2021/
[20] Security Council, Arria Formula Meeting on Cyber stability and conflict prevention, Joint statement from Denmark, Finland, Iceland, Sweden and Norway by Ambassador Mona Juul at the Arria-meeting on Cyber stability and conflict prevention, May 22, 2020. https://www.norway.no/en/missions/UN/statements/security-council/2020/arria-cyber-stability-and-conflict-prevention
[21] European Council, Declaration by the High Representative Josep Borrell, on Behalf of The European Union, on Malicious Cyber Activities Exploiting the Coronavirus Pandemic, April 30, 2020. https://www.consilium.europa.eu/en/press/press-releases/2020/04/30/declaration-by-the-high-representative-josep-borrell-on-behalf-of-the-european-union-on-malicious-cyber-activities-exploiting-the-coronavirus-pandemic/
[22] M.N. SCHMITT (ed.), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge, CUP, 2017, 598 p.
[23] United Nations Security Council, Open Debate on Cyber Security, Maintaining international peace and security in cyberspace, Canada’s submission, June 29, 2021. https://www.international.gc.ca/world-monde/international_relations-relations_internationales/un-onu/statements-declarations/2021-06-29-cybersecurity-cybersecurite.aspx?lang=eng
[24] Canada Submission’s to the UNSC Open Debate on Cybersecurity, New-York, June 29, 2021, https://www.international.gc.ca/world-monde/international_relations-relations_internationales/un-onu/statements-declarations/2021-06-29-cybersecurity-cybersecurite.aspx?lang=eng
[25] United Nations Security Council, Open Debate on Cyber Security, Maintaining international peace and security in cyberspace, Statement by Mr. AKAHORI Takeshi, June 29, 2021. https://www.un.emb-japan.go.jp/itpr_en/akahori062921.html
the newsletter
the newsletter