State Responsibility and Cyberattacks: Defining Due Diligence Obligations

Author:Ian Yuying Liu
e Indonesian Journal of International & Comparative Law
ISSN: 2338-7602; E-ISSN: 2338-770X
© 2017 e Institute for Migrant Rights Press
is paper was initially written in partial fullment of my LLB at Monash University.
I wish to thank Professor Douglas Guilfoyle and Kathryn Browne for their insightful
feedback on earlier dras of the manuscript; and the editorial team at e Indonesian
Journal of International and Comparative Law for their excellent assistance. Any
errors remain my own.
Ian Yuying Liu
Faculty of Law, Monash University
Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks
daily. Information technology-dependent societies increasingly perceive cy-
ber-threats as a destabilising force and citizens inevitably look to the State for
protection. is paper concerns one form of State protection: whether States owe
due diligence obligations in cyberspace under the laws of State responsibility.
Specically, it re-examines the contents of such an obligation and the circum-
stances which could trigger it in light of cyberattacks’ peculiarities. A straight-
forward replication of due diligence models from international environmental
law or law of the sea is not appropriate. But cyber-diligence should incorporate
certain principles found within both models and channel ultimate responsibil-
ity for securing cyber-infrastructure onto private industry. Counter-terrorism
obligations are the most useful body of law in which to seek an analogy. is
paper argues that a State’s cyber-diligence obligation is triggered, at a minimum,
by: (1) constructive knowledge of a cyberattack, (2) which causes serious injury
to an operating network. ese contents and triggers dene a cyber-diligence
framework. Public pressure on the State and the market to intensify responses to
transnational cyber-threats will drive the adoption of such principles.
Keywords: Information Technology Law, Non-State Actors, Cyber War, National Se-
curity, Internet Governance.
IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)
In April 2001, a U.S. surveillance plane and a Chinese ghter jet collide
over the South China Sea. e Chinese F-8 crashes, killing its pilot.
Meanwhile, the U.S. plane makes an emergency landing on Hainan Is-
land. China detains twenty-four U.S. crew members for eleven days in
a military base.2
A Sino-U.S. “cyber-war” commences.3 U.S. hackers retaliate against
the crew’s detention, defacing Chinese websites with messages including:
“rst you China men try and take our plane and crew . . . what is next?
Our home land? Our freedom?”4 In response, “patriotic” Chinese
hacktivists strike back. In a self-branded “cyber-operation defending
our country,5 hacktivists deface U.S. “.gov” and “.com” websites,6
leaving messages, including: “long live Chinese nationality!”7 Notably,
the hacktivists on both sides were private actors, who rationalized
their actions as legitimate patriotic demonstrations.8 is fact has led
some to speculate that the Chinese government’s information warfare
strategy includes “sponsoring” Chinese hacktivists.9 e terminology
1. Hacktivism: the use of cyberattacks to communicate political messages.
2. C R. S, C-U.S. A C  A
: A  P I (2001).
3. Craig S. Smith, May 6-12; e First World Hacker War, N.Y. T (May 13,
2001), available at
6-12-the-rst-world-hacker-war.html (last visited Oct. 20, 2016).
4. X W, C C N: E, C 
I 55 (2007).
5. Id. at 54.
6. N’ I P C, C P:
T T  U.S. I I 3 (2001),
available at (last visited Apr. 15, 2016).
7. X, supra note 4.
8. N K, T G C I 152 (2010).
9. Christian Czosseck, State Actors and their Proxies in Cyberspace, in P-
 R F S A  C 22 (Katharina Ziolkows-
ki ed., 2013).
State Responsibility and Cyberattacks: Dening Due Diligence Obligations
of “sponsoring” implies a form of state responsibility and insinuates
that hacktivism may be attributed to China under the relevant tests in
general international law.10 But attribution is only one possible test of
State responsibility.
What is a State’s responsibility for its own actions or inaction during
these cyberattacks?11 A due diligence obligation in cyberspace12 (“cyber-
diligence”), if established, would oer victim States alternative legal
recourse for a territorial State’s breach of a primary obligation.13 Subject
to the contents and triggers of the obligation dened below, China and
the U.S. could invoke one another’s responsibility for failing to prevent
hacktivism within their territories.14 e failure could constitute an
internationally wrongful act, which would then enable either State to
seek reparations.15
e present paper uses hacktivism as its opening case study to
canvass the issue of State responsibility in cyberattacks. We now turn to
examine, starting from rst principles, the merits of including a cyber-
diligence obligation as part of the State responsibility framework.
10. See Stefan Talmon, e Responsibility of Outside Powers for Acts of Secessionist
Entities, 58 I’  C. L. Q. 493 (2009).
11. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, arts.
2(b), G.A. Res 56/83, 53rd Sess., Jan. 28, 2002, U.N. Doc. A/RES/56/83 (Dec.
12, 2001).
12. is paper adopts the denition of cyberspace as: the “[g]lobal domain within
the information environment consisting of the interdependent network of in-
formation technology infrastructures, including the internet, telecommunica-
tions networks, computer systems, and embedded processors and controllers.
U.S. D’  D, D S  D M:
T D  C (May 12, 2008).
13. e State(s) from which the cyberattacks originate, or whose networks are im-
plicated in the cyberattack (territorial State). e State(s) whose networks are
injured in a cyberattack (victim State).
14. 1 O’ I L: P 391-92 (Robert Jennings & Sir
Arthur Watts eds, 9th ed. 2008).
15. Int’l L. Comm., supra note 11, at 38 ch. II. 91 art. 31.

To continue reading

Request your trial