State Responsibility and Cyberattacks: Defining Due Diligence Obligations

• Author: Ian Yuying Liu
• Pages: 191-259

e Indonesian Journal of International & Comparative Law

ISSN: 2338-7602; E-ISSN: 2338-770X

http://www.ijil.org

© 2017 e Institute for Migrant Rights Press

is paper was initially written in partial fullment of my LLB at Monash University.

I wish to thank Professor Douglas Guilfoyle and Kathryn Browne for their insightful

feedback on earlier dras of the manuscript; and the editorial team at e Indonesian

Journal of International and Comparative Law for their excellent assistance. Any

errors remain my own.

STATE RESPONSIBILITY AND CYBERATTACKS

DEFINING DUE DILIGENCE OBLIGATIONS

Ian Yuying Liu

Faculty of Law, Monash University

E-mail: ian.liu@hotmail.com

Cyberattacks are proliferating. Live trackers record over 6 million cyberattacks

daily. Information technology-dependent societies increasingly perceive cy-

ber-threats as a destabilising force and citizens inevitably look to the State for

protection. is paper concerns one form of State protection: whether States owe

due diligence obligations in cyberspace under the laws of State responsibility.

Specically, it re-examines the contents of such an obligation and the circum-

stances which could trigger it in light of cyberattacks’ peculiarities. A straight-

forward replication of due diligence models from international environmental

law or law of the sea is not appropriate. But cyber-diligence should incorporate

certain principles found within both models and channel ultimate responsibil-

ity for securing cyber-infrastructure onto private industry. Counter-terrorism

obligations are the most useful body of law in which to seek an analogy. is

paper argues that a State’s cyber-diligence obligation is triggered, at a minimum,

by: (1) constructive knowledge of a cyberattack, (2) which causes serious injury

to an operating network. ese contents and triggers dene a cyber-diligence

framework. Public pressure on the State and the market to intensify responses to

transnational cyber-threats will drive the adoption of such principles.

Keywords: Information Technology Law, Non-State Actors, Cyber War, National Se-

curity, Internet Governance.

IV Indonesian Journal of International & Comparative Law 191-260 (April 2017)

192

Liu

I. CASE STUDY: “PATRIOTIC”

HACKTIVISTS1

In April 2001, a U.S. surveillance plane and a Chinese ghter jet collide

over the South China Sea. e Chinese F-8 crashes, killing its pilot.

Meanwhile, the U.S. plane makes an emergency landing on Hainan Is-

land. China detains twenty-four U.S. crew members for eleven days in

a military base.2

A Sino-U.S. “cyber-war” commences.3 U.S. hackers retaliate against

the crew’s detention, defacing Chinese websites with messages including:

“rst you China men try and take our plane and crew . . . what is next?

Our home land? Our freedom?”4 In response, “patriotic” Chinese

hacktivists strike back. In a self-branded “cyber-operation defending

our country,”5 hacktivists deface U.S. “.gov” and “.com” websites,6

leaving messages, including: “long live Chinese nationality!”7 Notably,

the hacktivists on both sides were private actors, who rationalized

their actions as legitimate patriotic demonstrations.8 is fact has led

some to speculate that the Chinese government’s information warfare

strategy includes “sponsoring” Chinese hacktivists.9 e terminology

1. Hacktivism: the use of cyberattacks to communicate political messages.

2. C R. S, C-U.S. A C  A

: A  P I (2001).

3. Craig S. Smith, May 6-12; e First World Hacker War, N.Y. T (May 13,

2001), available at http://www.nytimes.com/2001/05/13/weekinreview/may-

6-12-the-rst-world-hacker-war.html (last visited Oct. 20, 2016).

4. X W, C C N: E, C 

I 55 (2007).

5. Id. at 54.

6. N’ I P C, C P:

T T  U.S. I I 3 (2001),

available at http://www.au.af.mil/ (last visited Apr. 15, 2016).

7. X, supra note 4.

8. N K, T G C I 152 (2010).

9. Christian Czosseck, State Actors and their Proxies in Cyberspace, in P-

 R F S A  C 22 (Katharina Ziolkows-

ki ed., 2013).

193

State Responsibility and Cyberattacks: Dening Due Diligence Obligations

Liu

of “sponsoring” implies a form of state responsibility and insinuates

that hacktivism may be attributed to China under the relevant tests in

general international law.10 But attribution is only one possible test of

State responsibility.

What is a State’s responsibility for its own actions or inaction during

these cyberattacks?11 A due diligence obligation in cyberspace12 (“cyber-

diligence”), if established, would oer victim States alternative legal

recourse for a territorial State’s breach of a primary obligation.13 Subject

to the contents and triggers of the obligation dened below, China and

the U.S. could invoke one another’s responsibility for failing to prevent

hacktivism within their territories.14 e failure could constitute an

internationally wrongful act, which would then enable either State to

seek reparations.15

e present paper uses hacktivism as its opening case study to

canvass the issue of State responsibility in cyberattacks. We now turn to

examine, starting from rst principles, the merits of including a cyber-

diligence obligation as part of the State responsibility framework.

10. See Stefan Talmon, e Responsibility of Outside Powers for Acts of Secessionist

Entities, 58 I’  C. L. Q. 493 (2009).

11. Int’l L. Comm., Responsibility of States for Internationally Wrongful Acts, arts.

2(b), G.A. Res 56/83, 53rd Sess., Jan. 28, 2002, U.N. Doc. A/RES/56/83 (Dec.

12, 2001).

12. is paper adopts the denition of cyberspace as: the “[g]lobal domain within

the information environment consisting of the interdependent network of in-

formation technology infrastructures, including the internet, telecommunica-

tions networks, computer systems, and embedded processors and controllers.”

U.S. D’  D, D S  D M:

T D  C (May 12, 2008).

13. e State(s) from which the cyberattacks originate, or whose networks are im-

plicated in the cyberattack (territorial State). e State(s) whose networks are

injured in a cyberattack (victim State).

14. 1 O’ I L: P 391-92 (Robert Jennings & Sir

Arthur Watts eds, 9th ed. 2008).

15. Int’l L. Comm., supra note 11, at 38 ch. II. 91 art. 31.