Introduction
Cyberspace refers to the digital environment in which various operations such as the creation, storage, and sharing of data are carried out. Although activities in cyberspace are executed through physical devices, the domain itself is digital rather than physical, distinguishing it from traditional, tangible domains.
As a relatively new domain, cyberspace lacks its own binding rules and customary norms. Moreover, because it is not a physical space, applying the legal regimes governing land, sea, or air to cyberspace is particularly challenging. This difficulty stems from factors such as the absence of clear boundaries, the intangible nature of activities conducted within it, and the complexity of identifying the perpetrators of such acts. While there is no binding treaty governing the field, the Tallinn Manual 2.0, (hereinafter: the Manual) prepared under NATO auspices, serves as a key reference on how international law can be applied to cyberspace. However, this manual does not address all the legal challenges the domain presents.
One of the most pressing issues in cyberspace is state responsibility for activities conducted therein. Until a robust body of international legal practice develops, cyberspace remains susceptible to abuse – and indeed has already been used multiple times by States to steal or manipulate each other’s data and cause harm.
The established principles of state responsibility prove inadequate for identifying wrongful acts in this domain – especially in attributing them to a State (See: Nicaragua v. United States, 1986, para. 115). The high attribution threshold of the classical regime, particularly the Nicaragua standard applied to uses of force, is ill-suited to cyber operations that can have comparable consequences (The Manual, Commentary of Rule 15, para. 6). Due to the global nature of cyberspace and the difficulty of tracing an attack to its source, cyberattacks often cannot be attributed to a State and therefore remain without sanction. The lack of cooperation and information-sharing among States further hampers attribution efforts (UN OEWG Final Report 2021, A/75/816, p.19, paras. 10-14)
This piece aims to address the resulting impunity by proposing an alternative approach that does not alter the established concepts and thresholds of international law. Drawing on due diligence as a general principle of State responsibility (See: Commentary of ARSIWA, Article 2, paras. 3-4) – and the prohibition on allowing one’s territory to be used to harm another State – it will explore how this obligation can avoid the attribution problem in cyberattacks. Moreover, embedding due diligence in the cyber domain could encourage States to protect one another and to cooperate more actively in ensuring global cyber security.
- Concepts of Cyber Operations:
To ensure the problem is well understood, it is first necessary to clarify the concepts of cyber operation and cyber attack.
The Tallinn Manual 2.0 defines a cyber operation as any cyber activity carried out in cyberspace with the aim of achieving a specific objective (see, The Manual, Glossary). Such activities may sometimes be intended to cause harm, but may also involve actions – such as system monitoring – that are not directly harmful. A cyber attack, on the other hand, is a specific type of cyber operation that either intends to cause, or directly results in, damage to the target system (see, The Manual, Rule 92). This damage may be economic, physical, or digital in nature.
Cyber attacks are carried out by breaching one or more of the core elements that information systems are designed to protect. In information security, three such elements are universally recognized since 1972 Anderson Report and developped by Steve Lipner in 1986: Confidentiality, Integrity, and Availability, collectively referred to as the C-I-A triad. (See also: Der Ham’s Article on Cybersecurity)
Confidentiality means that data within a system is accessible only to authorized individuals. Unauthorized access, data leakage, or surveillance activities constitute breaches of confidentiality. Operations of this type are generally not classified as cyber attacks unless they cause actual damage. Thus, a breach of confidentiality alone rarely qualifies as a cyber attack, though it may occur as part of one (e.g., the 2015 Ukraine power grid attack).
Integrity refers to ensuring that data within a system is not altered or corrupted without authorization. Operations such as the creation of falsified documents or data manipulation fall under this category. Integrity breaches generally have a greater potential to cause serious impact than confidentiality breaches. Whether an integrity-related operation constitutes a cyber attack depends on its effect. While small-scale manipulations may remain at the “cyber operation” level, incidents like the Stuxnet operation against Iran – causing physical damage and measurable harm – are clearly classified as cyber attacks.
Availability refers to the ability to access and use systems and data when needed, without disruption. Activities that disable infrastructure or crash networks breach this element. Such attacks are often carried out either by hijacking real devices (botnets) or by generating vast numbers of fake accounts on global cloud platforms (e.g., AWS, Google Cloud), which are then coordinated via a command-and-control (C2) server to send repeated, simultaneous requests to a targeted cyber infrastructure. When traffic exceeds capacity, the system becomes unresponsive and collapses – sometimes for days. (See also: How command-and-control works)
When directed at critical infrastructure – such as electrical grids, healthcare systems, or public safety networks – availability attacks can readily cause physical harm. A prominent example is the 2017 “WannaCry” attack in the United Kingdom, where blocked access to healthcare data halted ambulance dispatches and forced the cancellation of surgeries, with reported loss of life linked to the incident.
The attacks forming the core focus of this article involve overwhelming critical infrastructure – such as healthcare, electricity, or security systems – with more requests than they can process, causing system failure.
Cyberspace, as discussed above, emerges as a distinct “sphere of sovereignty.” (See also: The Manual, Commentary of Rule 4, paras. 1–2). Consequently, a State’s activities – and in some cases even its omissions – that cause harm within another State’s cyberspace will constitute an internationally wrongful act.
In this regard, the Tallinn Manual 2.0 which seeks to apply the general principles of international law and the ARSIWA regime to the cyber domain, stands out as the most significant work undertaken to date (See, in the same vein: Barnsby & Reeves’ Article on Talinn Manual, p.1514-1515). This study likewise aims to explain the international responsibility regime arising from cyber operations in line with the framework provided by the Manual and ARSIWA.
- Responsibility Regimes in the Manual and ARSIWA
To understand the regime of responsibility in cyberspace, it is first necessary to set out the concept of responsibility under the classical framework. According to this regime, the emergence of international responsibility requires the commission of an internationally wrongful act.
Article 2 of ARSIWA links an internationally wrongful act to two essential conditions: the act must constitute a breach of an international obligation, and it must be attributable to a State.
In addition to these elements, the existence of an injury is also a significant component of the international responsibility regime, as it forms the basis for engaging responsibility and claiming reparation.
Once cyberspace is recognized as a domain of sovereignty, situations in which a State intrudes into another State’s sovereign cyber domain will meet the breach requirement.
Likewise, if the acting State can be identified, an internationally wrongful cyber act will be established, and any resulting injury, if present, may give rise to reparation, just like the classical regime.
However, as mentioned above, attributing an internationally wrongful act to the responsible or negligent State can prove challenging even in the classical domain.
In the context of cyberattacks, this issue becomes even more complex: identifying the perpetrator of a cyber act is exceedingly difficult due to the decentralized nature of internet infrastructure and the limited capacity for reliable backtracking.
At this point, the attribution threshold itself varies depending on the type of wrongful act in question, even in the classical domain. (e.g. Nicaragua v. United States). Therefore, each type of wrongful act should be analyzed independently.
ARSIWA classifies internationally wrongful acts into special categories based on the nature of the breached norm. Following this classification, and as reflected in the Manual, we can identify four distinct categories of specifically regulated wrongful cyber acts:
- Matter of Attribution and The Threshold
Cyber operations may give rise to international responsibility under different legal regimes, depending on their intensity and effects. The use of force, as outlined in Articles 69–71 of the Tallinn Manual, applies when a cyberattack’s scale and consequences are comparable to those of conventional armed force. This includes scenarios where attacks on critical infrastructure – such as healthcare systems or emergency services – lead to physical damage or loss of life. Among all cyber operation types, availability attacks, especially large-scale Distributed Denial of Service (DDoS) attacks, are most likely to meet this threshold. If the effects are particularly severe, such operations may even amount to an armed attack, justifying self-defense under Article 51 of the UN Charter.
Below this threshold lies the violation of sovereignty and the prohibition of intervention, regulated by Articles 4 and 66 of the Manual. Even if a cyber operation does not qualify as a use of force, it may still breach the obligation to respect another State’s sovereignty, particularly when it targets sensitive areas of governance known as the domaine réservé – such as elections, public order, or economic systems. However, for an act to qualify as prohibited intervention, it must also be coercive in nature. Thus, this regime rests on both the domain of interference and the manner of influence.
A third basis of responsibility is aiding and assisting in a cyberattack, governed by Rule 18 of the Manual. A State that knowingly supports another State’s cyber operation – whether by providing infrastructure, intelligence, or operational tools – may incur secondary responsibility, even if it does not conduct the attack itself. Although this regime has a relatively lower attribution threshold, establishing the aiding State’s intent and link to the primary actor remains complex.
Across all three regimes, attribution involves similar steps: tracing the operation to specific devices, identifying the command-and-control infrastructure, determining who operates it, and linking that individual to a State. (See: The Manual, Commentary of Rule 15, paras. 5-7) While the required standard of proof varies – being highest in use of force cases and lower in intervention or assistance – the underlying technical barriers, such as obfuscation, cross-border infrastructure, and anonymous actors, make attribution extremely difficult in practice. (The Manual, Commentary of Rule 15, para. 6)
Beyond these technical steps to detect C2, attributing responsibility for each of these types requires two extra classic burdens of proof, which are even more difficult: identifying the operator is nearly impossible – given the time required for backtracking and the likelihood that the operator is located outside the attacked State.
Even if some backtracking succeeds in identifying the operator, establishing an organic link between the operator and a State goes beyond technological means; it demands substantial intelligence efforts, which may not be feasible or appropriate to present before a court.
As a result, establishing responsibility for these internationally wrongful acts is extremely difficult without near-conclusive evidence – regardless of the attribution threshold. This creates a legal vacuum prone to abuse. However, the “due diligence” obligation, which is still developing and relatively underexplored in the context of cyber operations, operates under a different threshold than these wrongful acts and may offer a viable means to overcome this gap.
- Due Diligence in Cyber Domain:
Due diligence is a well-established general principle of international law, most notably recognized in the context of environmental protection and transboundary harm prevention. It requires States not only to avoid directly causing harm (negative obligation), but also to take reasonable, proactive measures to prevent harmful conduct emanating from their territory (positive obligation). (See: Corfu Channel Case, Judgment of 9 April 1949, para. 68) This responsibility is not outcome-based, but effort-based: a State will be held accountable not for the harm itself, but for failing to act when it should have known and could have prevented such harm. (See: Commentary of ARSIWA, Article 2, paras. 3-4)
Accordingly, due diligence must be seen as applicable to the cyber domain as well. Although it has not yet been crystallized into a specific, universally codified norm in this area, the combination of ARSIWA’s customary authority, general principles of international law, and instruments like the Tallinn Manual provide a compelling legal basis. (See: the Manual, Art. 6) In cyberspace, this duty obliges States to ensure that actors operating within their jurisdiction do not use their networks and infrastructure in ways that cause significant harm to the rights or security of other States. It reflects a fundamental norm of responsible state behavior: no State may allow its cyber territory to be used to the detriment of another.
In the context of the due diligence obligation, the attribution threshold does not pose a significant challenge. This is because the legal inquiry shifts from determining whether a cyber operation is attributable to a State, to whether the State knew or ought to have known about harmful activities emanating from its territory and failed to take appropriate action. (See: Pulp Mills on the River Uruguay, Judgment, 2010, paras. 101&197) Accordingly, the complex attribution requirements such as detecting the operator and linking between operator and the state are not relevant to this positive obligation.
Thus, even when the perpetrator of a cyberattack cannot be definitively identified, the due diligence obligation may still offer a viable legal pathway – allowing the prevailing reality of “impunity” to be challenged.
Furthermore, a cyber regime based solely on negative obligations – whose attribution is notoriously difficult – places global cybersecurity at serious risk. In the absence of positive obligations, inter-State cooperation remains limited, undermining the collective security of the international community. Through the incorporation of positive obligations such as due diligence, States can both contribute to each other’s protection and foster cooperation, thereby enhancing international cybersecurity.
In result, focusing on the due diligence offers two key advantages for addressing the unique challenges of cyberspace:
(1) It provides a pathway to establish international responsibility without the need to overcome the complex burden of attribution, which is often unfeasible in cyber operations,
(2) It reinforces the notion that States have a duty to protect one another by taking reasonable steps to prevent harm from originating within their territory, thereby promoting cooperation and mutual assistance in the cyber domain.
Conclusion and Transition to Part II
The examination in this first part has established that due diligence, if properly adapted to the realities of cyberspace, has the potential to fill a critical gap in the current international legal framework. By focusing on a State’s obligation to monitor and address harmful cyber activities originating from within its jurisdiction, the discussion shifts away from the insurmountable challenges of attribution and toward a more preventative, cooperative model of responsibility. This reconceptualisation does not alter the core thresholds of international law, but rather operationalises them in a way that is responsive to the technical and transboundary nature of the cyber domain.
The second part of this article will seek to apply the three classical due diligence tests – tests of foreseeability, prevention capacity, and harm – to the cyber domain. While it will generally follow the Tallinn approach, it will, at certain points, interpret ARSIWA differently and propose a regime that places due diligence at the forefront.
This theoretical framework will be concretized by examining the threefold due diligence test in the context of cyberspace step by step, and by putting forward an alternative and more effective liability regime to the existing approach in international law.