Abstract
Although there has been a relative abundance of work done on exploring the contours of the law of cyber war, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations’ due diligence obligations are to their respective private sectors and to one another. The International Court of Justice (“ICJ”) has not explicitly considered the legality of cyber weapons to this point, though it has ruled in the Corfu Channel case that one country’s territory should not be “used for acts that unlawfully harm other States.” But what steps exactly do nations and companies under their jurisdiction have to take under international law to secure their networks, and what of the rights and responsibilities of transit states? This chapter reviews the arguments surrounding the creation of a cybersecurity due diligence norm and argues for a proactive regime that takes into account the common but differentiated responsibilities of public- and private-sector actors in cyberspace. The analogy is drawn to cybersecurity due diligence in the private sector and the experience of the 2014 National Institute of Standards and Technology (“NIST”) Framework to help guide and broaden the discussion.
An updated and expanded version of this article featuring both private and public-sector experiences with building out due diligence was published as Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chicago Journal of International Law 1(2016).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
However, it should be noted that other jurisprudence is also on point and is not discussed here due to space constraints, including: Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion – General Assembly, ICJ Reports, 8 July 1996, at 22, para. 29; Gabcikovo-Nagymaros Project (Hungary v. Slovakia), Judgment, 25 September 1997, ICJ Reports (1997), at 7, para. 53; Case concerning pulp mills on the river Uruguay (Argentina v. Uruguay), Judgment, 20 April 2010, para. 193.
- 2.
For further information on how cybersecurity governance is playing out in the arena of critical infrastructure protection around the world, see generally Shackelford and Craig <CitationRef CitationID="CR60" >2014</Citation Ref>.
- 3.
A more comprehensive comparative case study of these cyber powers—including a cybersecurity due diligence matrix—is included in Shackelford, Russell, & Kuehn, supra note 1.
- 4.
This sentiment may also be considered another manifestation of the sliding scale approach discussed in Section 16.2.1.
- 5.
China is pursuing cyber diplomacy on an array of fronts. Among other actions, China is furthering the multilateral cybersecurity initiative with the Shanghai Cooperation Organization , is negotiating a bilateral cybersecurity treaty with Russia, is involved in a U.S.-China working group to diffuse tensions around mutually alleged cyber exploitations, and has been drafting cybersecurity-relevant proposals and declarations to garner support from like-minded states at the 2014 World Internet Conference in China and at various UN meetings.
- 6.
N. Sea Continental Shelf (F.R.G./Den. v. Neth.) <CitationRef CitationID="CR44" >1969</Citation Ref> I.C.J. 41, 72 (Feb. 20).
- 7.
Cf. Willingham v. Global Payment, 2013 WL 440,702 at 19 (N.D. Ga 2013) (unreported) (reflecting an alternative view in which courts are reluctant rely on data security standards as a means of determine whether a duty was owed, let alone whether they should be used to determine a reasonable standards of care).
- 8.
For more on this topic, see Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 18 Am. Bus. L. J. 721 (2015).
- 9.
See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).
References
Ahrens, Nathaniel. 2012. National security and China’s information security standards: Of Shoes, Buttons, and Routers. Center for Strategic and International Studies, November 8. http://csis.org/publication/national-security-and-chinas-information-security-standards. Accessed 26 Mar 2015.
Armerding, Taylor. 2014. NIST’s finalized cybersecurity framework receives mixed reviews. CSO, January 31. http://www.csoonline.com/article/2134338/security-leadership/nist-s-finalized-cybersecurity-framework-receives-mixed-reviews.html. Accessed 26 Mar 2015.
Ayres, Erin. 2014. Cybersecurity easing its way into M&A due diligence. Cyber Risk Network, Aug. 22. http://www.cyberrisknetwork.com/2014/08/22/cybersecurity-easing-way-ma-process/. Accessed 26 Mar 2015.
Barnett et al. 2014. Cybersecurity issues in dealmaking: What you need to know. ACG. http://www.acg.org/UserFiles/file/Cybersecurity%20Webinar%20-Final.pdf. Accessed 26 Mar 2015.
Bodle, Ralph. 2012. Climate Law and geoengineering. In Climate change and the law, Ius Gentium: Comparative perspectives on law and justice, ed. Erkki Hollo, Kati Kulovesi, and Michael Mehling, 447–470. Dordrecht: Springer.
Botnet Control Servers Span the Globe. Mcafee. https://blogs.mcafee.com/mcafee-labs/botnet-control-servers-span-the-globe. Accessed 23 Jan 2013.
Bradley, Curtis A. 2013. The chronological paradox, state preferences, and Opinio Juris. Duke law. http://law.duke.edu/cicl/pdf/opiniojuris/panel_1-bradley-the_chronological_paradox,_state_preferences,_and_opinio_juris.pdf. Accessed 26 Mar 2015.
Buckley, Chris and Lucy Hornby. 2010. China defends censorship after Google threat. Reuters, January 14. http://www.reuters.com/article/2010/01/14/us-china-usa-google-idUSTRE60C1TR20100114. Accessed 26 Mar 2015.
Bundesministerium des Innern. 2008. Schutz Kritischer Infrastrukturen – Risiko- und Krisenmanagement: Leitfaden für Unternehmen und Behörden. http://www.bmi.bund.de/SharedDocs/Downloads/DE/Broschueren/2008/Leitfaden_Schutz_kritischer_Infrastrukturen.pdf?__blob=publicationFile. Accessed 26 Mar 2015.
Case Concerning the Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. U.S.), 1986. I.C.J.14, 183 (June 27).
Chinese OS expected to debut in October. Xinhunet, August 24, 2014. http://news.xinhuanet.com/english/china/2014-08/24/c_133580158.htm. Accessed 26 Mar 2015.
Clinton, Hillary Rodham. 2010. Remarks on internet freedom. U.S. Department of State. http://www.state.gov/secretary/20092013clinton/rm/2010/01/135519.htm. Accessed 26 Mar 2015.
Corfu Channel Case (United Kingdom v. Albania), 1949. I.C.J. 244 (Dec.15).
de Maizière, Thomas. 2014. Sichere Informationsinfrastrukturen in einem Cyber-Raum der Chancen und der Freiheit. http://www.bmi.bund.de/SharedDocs/Reden/DE/2014/12/east-west-cyber-summit.html?nn=3314802. Accessed 26 Mar 2015.
Definition of International Law. Int’l Labor Org. http://www.actrav.itcilo.org/actrav-english/telearn/global/ilo/law/lablaw.htm. Accessed 25 Mar 2015.
Del Mar, Katherine. 2012. The international court of justice and standards of proof. In The ICJ and the evolution of international law: The enduring impact of the Corfu channel case, ed. Karine Bannelier, 98–123. London: Routledge.
DNI, Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage: 2009–2011, October 2011.
Edwards, Dennis et al. 2007. Prevention, detection and recovery from cyber-attacks using a multilevel agent architecture. System of systems engineering 1, 1 (2007). doi:10.1109/SYSOSE.2007.4304228.
Ensign, Rachel Louise. 2014. Cybersecurity due diligence key in M&A deals. W all Street Journal, April 24. http://blogs.wsj.com/riskandcompliance/2014/04/24/cybersecurity-due-diligence-key-in-ma-deals.
Eye of the Storm: Key Findings from the 2012 Global State of Information Security Survey. PwC. http://www.pwc.co.nz/global-state-of-information-survey.aspx. Accessed 26 Mar 2015.
Finnemore, Martha. 2011. Cultivating international cyber norms. In America’s cyber future: Security and prosperity in the information age, eds. Kristin M. Lord and Travis Sharp, 87–102. Washington, DC: CNAS.
GATT 1994: General Agreement on Tariffs and Trade 1994, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1A, THE LEGAL TEXTS: THE RESULTS OF THE URUGUAY ROUND OF MULTILATERAL TRADE NEGOTIATIONS 17 (1999), 1867 U.N.T.S. 187, 33 I.L.M. 1153 (1994).
General Assembly resolution 55/63, Combatting the criminal use of information technologies, A/RES/55/63 (22 Jan 2001). http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_55_63.pdf. Accessed 26 Mar 2015.
German Federal Ministry of the Interior. 2011. Cyber-Sicherheitsstrategie für Deutschland. http://www.bmi.bund.de/DE/Themen/IT-Netzpolitik/IT-Cybersicherheit/Cybersicherheitsstrategie/cybersicherheitsstrategie_node.html. Accessed 26 Mar 2015.
Gierow, Hauke Johannes. 2014. Cyber security in China: New political leadership focuses on boosting national security. Mercator Institute for China Studies. http://www.merics.org/fileadmin/templates/download/china-monitor/China_Monitor_No_20_eng.pdf. Accessed 26 Mar 2015.
Greis, Friendhelm. 2014. Kabinett beschließt Meldepflicht für Cyberangriffe. Golem.de, December 17. http://www.golem.de/news/it-sicherheitsgesetz-regierung-beschliesst-meldepflicht-fuer-cyberangriffe-1412-111234.html. Accessed 26 Mar 2015.
Gruener, Wolfgang. 2012. Many new PCs in China come with malware preinstalled. Tom’s Hardware, September 24. http://www.tomshardware.com/news/microsoft-pc-windows-security-china,17758.html. Accessed 26 Mar 2015.
Gulati, Mitu. 2013. How do courts find international custom? Duke Law. http://law.duke.edu/cicl/pdf/opiniojuris/panel_6-gulati-how_do_courts_find_international_custom.pdf. Accessed 26 Mar 2015.
Henckaerts, Jean-Marie, and Doswald-Beck, Louise. 2005. Assessment of customary international law. ICRC. http://www.icrc.org/customary-ihl/eng/docs/v1_rul_in_asofcuin. Accessed 26 Mar 2015.
Hurwitz, Roger. 2009. The prospects for regulating cyberspace: A schematic analysis on the basis of Elinor Ostrom. MIT. http://web.mit.edu/ecir/pdf/hurwitz-ostrom.pdf. Accessed 26 Mar 2015.
International Labor Organization. 2013. Definition of international law. International Labour Organization. http://www.actrav.itcilo.org/actrav-english/telearn/global/ilo/law/lablaw.htm. Accessed 25 Mar 2015.
Jinping, Xi: China must evolve from a large internet nation to a powerful internet nation. Xinhuanet.com, February 27, 2014. http://news.xinhuanet.com/politics/2014-02/27/c_119538788.htm. Accessed 26 Mar 2015.
Keohane, Robert O., and David G. Victor. 2011. The regime complex for climate change. Perspectives on Policy 9: 7–23.
Kirgis, Frederic L. 1987. Custom on a sliding scale. The American Journal of International Law 81(1): 146–151.
Kuehn, A., and M. Mueller. 2014. Analyzing bug bounty programs: An institutional perspective on the economics of software vulnerabilities. Proceedings of the 42nd research conference on communication, information, and internet policy. 12–14 September, 2014, Arlington, VA. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2418812.
Lewis, James A. 2011a. Why privacy and cyber security clash. In America’s cyber future: security and prosperity in the information age, ed. Kristin M. Lord and Travis Sharp, 123–142. Washington, DC: CNAS.
Lewis, James A. 2011b. Confidence-Building and international agreement in cybersecurity. In Disarmament forum: Confronting cyberconflict, 51–59. United Nations Institute for Disarmament Research. http://www.unidir.org/files/publications/pdfs/confronting-cyberconflict-en-317.pdf. Accessed 26 Mar 2015.
Lewis, James A. 2013. Raising the bar for cybersecurity. CSIS. http://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf. Accessed 26 Mar 2015.
Lord, Kristin M., and Travis Sharp. 2011. Executive summary. In America’s cyber future: Security and prosperity in the information age. Washington, DC: CNAS.
McGinnis, Michael D. 2011. An introduction to IAD and the language of the Ostrom workshop: A simple guide to a complex framework. Policy Studies Journal 39(1): 169–183.
McKay et al. 2014. International cybersecurity norms: Reducing conflict in an Internet-dependent world. Microsoft. http://tinyurl.com/ogv9qzq. Accessed 26 Mar 2015.
Messerschmidt, Jan E. 2013. Hackback: Permitting retaliatory hacking by non-state actors as proportionate countermeasures to transboundary cyberharm. Columbia Journal of Transnational Law 52: 275–323.
Mozur, Paul. 2015. New rules in China upset Western Tech Companies. New York Times, January 28. http://www.nytimes.com/2015/01/29/technology/in-china-new-cybersecurity-rules-perturb-western-tech-companies.html. Accessed 26 Mar 2015.
Mudrinich, Erik M. 2012. Cyber 3.0: The department of defense strategy for operating in cyberspace and the attribution problem. The Air Force Law Review 68: 167–206.
N. Sea Continental Shelf (F.R.G./Den. v. Neth.), 1969. I.C.J. 41, 72 (Feb. 20).
Norton, Steven. 2014. Going beyond due diligence to monitor vendor cybersecurity. Wall Street Journal, March 21. http://blogs.wsj.com/cio/2014/03/21/going-beyond-due-diligence-to-monitor-vendor-cybersecurity/. Accessed 26 Mar 2015.
Obama, Barack. 2009. Remarks by the president on securing our nation’s cyber infrastructure. White House, Office of the Press Secretary. http://www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure. Accessed 26 Mar 2015.
Obama, Barack. 2011. International strategy for cyberspace: Prosperity, security, and openness in a networked world. White House. https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf. Accessed 26 Mar 2015.
Obama, Barack. 2013. Executive order on improving critical infrastructure cybersecurity. White House, Office of the Press Secretary. http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity. Accessed 26 Mar 2015.
Ophardt, Jonathan A. 2010. Cyber warfare and the crime of aggression: The need for individual accountability on tomorrow’s battlefield. Duke Law and Technology Review 3: 1–76.
Ostrom, Elinor. 2008. Polycentric systems as one approach for solving collective-action problems. Indiana University. http://dlc.dlib.indiana.edu/dlc/bitstream/handle/10535/4417/W08-6_Ostrom_DLC.pdf?sequence=1. Accessed 26 Mar 2015.
Ostrom, Elinor. 2009. A polycentric approach for coping with climate change. The World Bank. http://www.iadb.org/intal/intalcdi/pe/2009/04268.pdf. Accessed 26 Mar 2015.
OWASP Review BSI IT-Grundschutz Baustein Webanwendungen. https://www.owasp.org/index.php/OWASP_Review_BSI_IT-Grundschutz_Baustein_Webanwendungen. Accessed 26 Mar 2015.
PwC. 2012. Eye of the storm: Key findings from the 2012 global state of information security survey. PwC. http://www.pwc.co.nz/global-state-of-information-survey.aspx. Accessed 26 Mar 2015.
Rose-Ackerman, Susan, and Benjamin Billa. 2008. Treaties and national security. New York University Journal of International Law and Politics 40: 437–495.
Ryan, Tim, and Leonard Navarro. 2015. Cyber due diligence: Pre-transaction assessments can uncover costly risks. Kroll, January 28. http://blog.kroll.com/2015/cyber-due-diligence-pre-transaction-assessments-can-uncover-costly-risks/.
Sceats, Sonya. 2015. China’s cyber diplomacy: A taste of law to come? The Diplomat, January 14. http://thediplomat.com/2015/01/chinas-cyber-diplomacy-a-taste-of-law-to-come/.
Schmitt, Michael N. 2013. Tallinn manual on the international law applicable to cyber warfare. Cambridge: Cambridge University Press.
Schmitt, Michael N. 2014. “Below the threshold” cyber operations: The countermeasures response option and international Law. Virginia Journal of International Law 54: 697–732.
Segal, Adam. 2012. China moves forward on cybersecurity policy. Council on Foreign Relations, July 24. http://blogs.cfr.org/asia/2012/07/24/china-moves-forward-on-cybersecurity-policy/. Accessed 26 Mar 2015.
Shackelford, Scott J. 2014. Managing cyber attacks in international law, business, and relations: In search of cyber peace. Cambridge: Cambridge University Press.
Shackelford, Scott J., and Amanda N. Craig. 2014. Beyond the new ‘digital divide’: Analyzing the evolving role of governments in internet governance and enhancing cybersecurity. Stanford Journal of International Law 50: 119–184.
Sklerov, Matthew J. 2009. Solving the dilemma of state responses to cyberattacks: A justification for the use of active defenses against states who neglect their duty to prevent. Military Law Review 201: 1–84.
Statute of the International Court of Justice, art. 38, June 26, 1945, 59 Stat. 1055. http://www.icj-cij.org/documents/index.php?p1=4&p2=2&p3=0.
Tikk, Eneken. 2011. Ten rules of behavior for cyber security. Survival 53(3): 119–132.
Trail Smelter Case. 1938, 1965. Trail Smelter Arbitration (U.S. v. Can.), 3 Rep. Int’l Arb Awards (R.I.A.A.) 1905 (1941).
Verry, John. 2014. Why the NIST cybersecurity framework isn’t really voluntary. Information Security Blogs. http://www.pivotpointsecurity.com/risky-business/nist-cybersecurity-framework. Accessed 26 Mar 2015.
von Heinegg, Wolff Heintschel. 2013. Territorial sovereignty and neutrality in cyberspace. International Law Studies 89: 123–156.
Weihua, Chen. 2014. China protests against US indictment. China Daily, May 20. http://usa.chinadaily.com.cn/world/2014-05/20/content_17519650.htm. Accessed 26 Mar 2015.
Westervelt, Robert. 2013. Kaspersky: Redundancy, offline backup critical for cyberdefense. CRN, February 8. http://www.crn.com/news/security/240148219/kaspersky-redundancy-offline-backup-critical-for-cyberdefense.htm. Accessed 26 Mar 2015.
Wong, Edward. 2014. For China, cybersecurity is part of strategy for protecting the communist party. New York Times, December 3. http://sinosphere.blogs.nytimes.com/2014/12/03/for-china-cybersecurity-is-part-of-strategy-for-protecting-the-communist-party/. Accessed 26 Mar 2015.
Zetter, Kim. 2014. Countdown to zero day. New York: Random House.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Shackelford, S.J., Russell, S., Kuehn, A. (2017). Defining Cybersecurity Due Diligence Under International Law: Lessons from the Private Sector. In: Taddeo, M., Glorioso, L. (eds) Ethics and Policies for Cyber Operations. Philosophical Studies Series, vol 124. Springer, Cham. https://doi.org/10.1007/978-3-319-45300-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-45300-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45299-9
Online ISBN: 978-3-319-45300-2
eBook Packages: Religion and PhilosophyPhilosophy and Religion (R0)