Aditi Kalbhor(Research Intern)
In the present-day battlefield, with the advancement in technology, computer networking and widespread use of the internet, a new threat emerged against all the States which cannot be fought by troops and armed forces. That is cyber warfare, which is the future of all conflicts. The data needs to be protected from cyber warfare, cyber terrorism or any other misuse of critical information. It causes harm to the country's development as well as citizens thereby challenging human rights. The protection and promotion of the rights of the people is a concern of each state for a very long time. At present, cyber-attacks are on the rise, culminating in an increase in cyber-security issues and human rights violations, for which each state is responsible, and which can be settled by adopting the principle of due diligence in cyberspace. This principle is an obligation upon the States to hold them responsible for malicious cyber operations in a rapidly globalising world. This research paper vividly describes both cyber and human right due diligence. It also briefs about the Tallinn Manual 2.0 and the growing challenges in the international realm.
KEYWORDS: Cyber Security, Human Right, Due Diligence, Tallinn Manual.
States have become more willing to attribute cyber-attacks to other states, work with different nations, handling data from all over the world and so on. This culminates in hostile to cyber operations. The principles of sovereignty and non-intervention are evolving and at present, the concept of digital sovereignty has emerged which is nothing but sovereignty over digital data and assets. The term 'sovereignty' is the supreme power of a state over its entire jurisdiction and the 'non-intervention' principle of international law requires States not to interfere in the internal affairs of another State but still retain diplomacy and trade while avoiding conflicts unless related to self-defence. To maintain this, states have to agree that international law, including the principles of sovereignty and non-intervention, does apply to their activities in cyberspace. This will lead to a commitment to refrain from causing trans-boundary harm and ultimately result in the conduct of activities among States with due diligence.
Due Diligence is an evolving principle of international law which prevents cross-border harm to other states. The due diligence obligation imposes an independent duty on States to take affirmative action to stop or prevent their territory, or the items or persons within their jurisdictional control, from knowingly being used to cause internationally wrongful acts (From Grey Zone to Customary International Law: How Adopting the Precautionary Principle May Help Crystallize the Due Diligence Principle in Cyberspace, 2018). It may manifest in different scenarios, such as in environmental cases where the wrongdoer is likely to be known, while unknown in cyber-attack cases. Similarly, trans-boundary harm in case of environment adversely affects natural resources while cyber-attacks cause risks to national infrastructure, privacy, financial loss, system's damage, etc. All such actions result in risks and have a serious negative impact on other states. Thus, the concept of due diligence not only applies to Environmental Impact Assessment (EIA) but also to increasingly borderless crimes such as cybercrime, to secure networks and data, while prosecuting cyber attackers.
PRINCIPLE OF DUE DILIGENCE IN INTERNATIONAL LAW:
The concept of due diligence is of great significance and not novel to international law. Its scope is expanding, spanning across environmental protection, human rights and now governing cyberspace. Due diligence is concerned with means and not results. The obligation of means prohibits certain conduct or behaviour by States, while the obligation of results is being diligent towards that end. The due diligence rule derives from the ancient maxims uteretuoutalienum non-leads, meaning use your property in such a manner as not to injure that of others. (Security and Human Rights Challenges of Cyber Due Diligence, 2020)It sets out an obligation that no state has the right to permit the use of its territory which may cause harm or injury to another state's territory, property or persons therein. This was first recognised in the Corfu Channel's case of 1949 wherein the International Court of Justice held that it is the obligation of every State not to knowingly allow the usage of its territory for acts contrary to the rights of other States.
DUE DILIGENCE IN CYBERSPACE:
Today, the scope and domain of crime have completely changed. It not only consists of bodily offences but also virtual offences. The 2014 Sony hack, Cyber-warfare by Russia, etc. are incidents depicting the seriousness of cyber-crime posing a threat to international peace and security. Cyber-attacks are proliferating, occupying central positions and multiplying cybercrimes in the society. Hence, to control cyber threats and make efficient use of information and communication technology, the principle of due diligence needs to be adopted in the field of international cyber-security as well. Thus, does a nation have proper infrastructure and regulations to implement cyber due diligence and to what extent?
The term cyber-security due diligence has been defined as, "the review of the governance, processes and controls that are used to secure information assets." Such due diligence obligations may exist in three categories, between two states, between two non-state actors (e.g., private corporations), and between state and non-state actors (2019).A state's cyber diligence framework should be incorporated with certain principles but before that, it requires a proper infrastructure and model like due diligence models from international environmental law or law of the sea. In 2000, the United Nations General Assembly along with United Nations Group of Governmental Experts on developments in the field of information and telecommunications on international security (UNGGE) called on all states that their territories, and especially the computer systems and infrastructure situated there or otherwise under the states' control, is not misused for attacks on the infrastructure of other states (Due Diligence in Cyberspace; Guidelines for International & European Cyber Policy and Cyber-security Policy, 2016).
THE TALLINN MANUAL:
The Tallinn Manual is a non-binding study on how international law applies to cyberspace. It consists of two manuals - The 2013 Tallinn Manual on Cyber Warfare (Tallinn Manual 1.0)' and The 2017 Tallinn Manual on Cyber Operations (Tallinn Manual 2.0). An independent group of experts behind these manuals have endorsed the application of the due diligence principle in cyberspace, but its scope and extent is still a matter of discussion. Rule 6 of the manual states, "a State must exercise due diligence in not allowing its territory, or territory or cyber-infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States”(THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS). According to the group of experts, this principle generally applies when cyber operations have adverse consequences related to a legal right of a State, mounted from another State's territory but they disagreed on the point that there was a preventive or precautionary element tied to this obligation. Thus, States are not required to remedy all trans-boundary harms but only those which have serious consequences. This feature is not well defined as to what "serious consequence" means. Another important aspect is, for a state to be held responsible for applying the due diligence principle, to prevent trans-boundary harm, the state must have constructive knowledge. This implies in a normal course of events the state does not require taking preventive measures to be apprised of any potential trans-boundary harm. While, when a state knows about the trans-boundary harm, it should take all required measures to tackle cyber operations. Lastly, not every state complies with due diligence because it also places a responsibility on them. The Rule states that in the United Nations Group of Governmental Experts (UN GGE), states were only willing to admit that they “should” exercise due diligence, rather than that they “must"(THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS).
PRIVATE SECTOR'S APPROACH TOWARDS CYBER SECURITY DUE DILIGENCE:
To secure networks and digital assets, both States and companies (Private sector) should undertake certain proactive mechanisms for creating cyber-security due diligence norms and framework under international law. For instance, the NIST Cyber Security Framework of 2014 which is a Cyber Security Framework aimed at improving critical infrastructure cyber-security and its activities. It describes five main functions: Identity, Protect, Detect; Respond and Recover, to enhance and implement security measures. NIST not only provides a system for domestic critical infrastructure but also to other nations through NIST collaborations with nations like the United Kingdom, Japan, Korea, Estonia, Israel and Germany which helps to maintain and harmonise global cyber-security practices. Moreover, Germany is known for its robust national data protection laws and is now moving towards the creation of cyber-security standards for critical infrastructure to contribute and develop the field of cyber-security due diligence. The 2016 Report of the SWP think tank, encourages the development of cyber-security due diligence norms as an international legal standard. It stipulates that a state must take all measures necessary in preventing actions from its territory to infringe on the rights of other territories. These are among the innovations from nations and private sectors to tackle cyber-security threats.
WHAT ARE HUMAN RIGHTS DUE DILIGENCE?
The Protect, Respect and Remedy Framework (PRR) or Ruggie framework is a framework designed for business and human rights to the United Nations Human Rights Council. It defines the corporate responsibility to respect as the responsibility 'to avoid infringing on the rights of others'(Human Rights and Cyber-security Due Diligence: A Comparative Study, 2017).In short, business corporations should take care that their actions do not cause any harm to human rights and if they are infringed, human rights due diligence are to be exercised. Human Rights have attached due diligence principle as a duty to investigate and to prevent human right violations. This can be linked in cyberspace too.
LINKING HUMAN RIGHTS AND CYBER DUE DILIGENCE:
Information and Communication Technology facilitates all aspects worldwide by allowing everyone to work with people from all around the world. However, as of today, we see everyone is getting accustomed to the 'new normal' and working virtually. Almost every activity is being held online. Such extensive use of ICT has given rise to cyber threats. These threats have a severe impact on people's lives. Human rights and cyber-security are emerging issues and vital components of sustainable development. There is a need to ensure that human rights lie at the core view of cyber-security so that the networks and people are both secured.
The Freedom Online Coalition (FOC) defines cyber-security as "the preservation – through policy, technology, and education – of the availability, confidentiality and integrity of information and its underlying infrastructure to enhance the security of persons both online and offline"(Esterhuysen, 2019). This definition depicts how cyber-security threats can be human rights violations. There is national legislation through which states are combating cyber-attacks but it being a transnational threat there is an imperative need for proper regulation, laws and policies to monitor and safeguard human rights at international level. This is where due diligence will play a vital role. A framework of human rights and cyber due diligence will make the States responsible for their actions and hold them accountable.
As per Human Rights Council Resolutions on the 'promotion, protection and enjoyment of human rights on the internet, it has been well established that international human rights law is also applicable to the digital world. Yet, in the case of cyber-security, it is still a developing field. This is primarily because cyber-security issues are treated and responded as state-on-state attacks rather than separate cyber-attacks. Since 2013 the United Nations has held international humanitarian law and international human rights law as applicable in cyberspace. Further, as mentioned earlier, the United Nations Group of Governmental Experts give central importance to human rights and recommend all states to respect the same.
HUMAN RIGHTS LAW TO CYBER SPACE:
When it comes to human rights we usually touch upon the Universal Declaration of Human Rights. It includes principles that can be applied to cyber-security. For instance, Article 19 of UDHR talks about the right to freedom of speech and expression and to access information; Article 3 states that everyone has the right to life, liberty and security of person. Despite the application of human rights law to cyberspace, it is difficult to enforce it as states don't regard the jurisdiction and scope of human rights as extraterritorial, but they respond to human rights violations only on their territory and ignore the rules of international law. The United Nation's High Commission for Human Rights in 2011 stated that human rights are equally valid online as well as offline. Later in 2013, the United Nations General Assembly along with its governing bodies and representatives voted to confirm people's right to privacy in the digital age. Then, Rule 36 of the Tallinn Manual 2.0 deals with obligations to respect and protect international human rights from abuse and threats by third parties. Lastly, conforming to the Maastricht Principles on the Extraterritorial Obligations of States, States are responsible for violating the human rights of people outside their territory. Likewise, it is the duty of every state whether acknowledging the due diligence principle or not, they are accountable and obliged to prevent transboundary harm.
CYBER DUE DILIGENCE IN INDIA:
In India, the purview of 'Cyber Due Diligence' is confined. Here, cyber law due diligence is concerned with Internet Intermediary Liability in India where the internet intermediaries have to comply with the principle. The Information Technology Act, 2000 covers due diligence requirements that banks, e-commerce platforms, search engines, companies and other intermediaries must follow. Still, it is not taken seriously until some criminal act takes place. It also provides for civil and criminal liabilities for non-observance of due diligence. In recent times there are a rising number of issues regarding cybercrimes, e-commerce, copyright issues, etc. which needs to be considered. The government is ignorant regarding the concept and its implementation. Still, there is much more to be explored about due diligence in India.
SUGGESTIONS AND RECOMMENDATIONS:
1. Firstly, states should undertake and establish national rules and policies like NIST. They should also have control over information and communication technology and critical information infrastructure. Then, states can eventually contribute to the international law obligation on cyber due diligence.
2. Human Rights should be promoted using the United Nations Guiding Principles. Cyber-security policies have a direct impact on human rights, new cyber-security policies should be developed for encrypting data and discarding unneeded data to secure and protect people's information and digital assets and maintain privacy at the same time. There should be proper mechanisms to monitor and handle data. This will ensure accountability.
3. Groups of individuals can come together and engage themselves in research about cyber-security and provide analysis of government policies. In this way, it will only help to gain knowledge but also, help in adopting effective cyber-security policies that safeguard human rights.
4. Lastly, there is a need to spread awareness about the rising number of cyber-attacks in India. Through this, the stakeholders and companies will be vigilant about their actions and conduct cyber due diligence.
The escalating range of cyber-attacks that are occurring throughout the world needs to be addressed. Due diligence, still an emerging phenomenon in cyber-security is not a one-time thing, but an ongoing process which is crucial for states to prevent transboundary harm. States should comply with it for identifying and remediating the cyber risks and vulnerabilities.
The principle of due diligence is notable in environmental cases, the law of the sea and steadily being espoused to the digital age. However, it is not widely endorsed as a binding rule of international law. This makes it difficult to legally address and tackle the issue of the trans-boundary human rights violations of hostile cyber operations. Developing, adopting and implementing a proper framework to the cyber due diligence will promote international cooperation rather than conflicts, ensure accountability and be the key for prevention of cyber-attacks.
1. 2019. Due Diligence in Cyber-security. s.l.: Cadzow Communications Consulting Ltd, 2019.
2. Due Diligence in CyberspaceGuidelines for International and European Cyber Policy and Cyber-security Policy. Bendiek, Annegret. 2016. Berlin: StiftungWissenschaft und Politik, 2016. ISSN 1863-1053.
3. Esterhuysen, Deborah Brown &Anriette. 2019. Association for Progressive Communications. APC. [Online] APC News, November 28, 2019. [Cited: July 30, 2020.] https://www.apc.org/en/news/why-cybersecurity-human-rights-issue-and-it-time-start-treating-it-one.
4. From the Grey Zone to Customary International Law: How Adopting the Precautionary Principle May Help Crystallize the Due Diligence Principle in Cyberspace. Stockburger, Peter Z. 2018. San Diego, California: NATO CCD COE Publications, Tallinn, 2018.
5. Human Rights and Cyber-security Due Diligence: A Comparative Study. Shackelford, Scott J. 2017. 4, s.l.: University of Michigan Journal of Law Reform, 2017, Vol. 50.
6. Security and Human Rights Challenges of Cyber Due Diligence. Ponta, Adina. 2020. s.l: Harvard International Law Journal, 2020.
7. THE TALLINN MANUAL 2.0: HIGHLIGHTS AND INSIGHTS. JENSEN, ERIC TALBOT. s.l: GEORGETOWN JOURNAL OF INTERNATIONAL LAW.