Due Diligence In The Governance Of International Cyberspace

The rapid development of cyberspace is accompanied by escalating threats.As the economic,political,and cultural development of each country becomes more intertwined with the cyberspace,experts from various countries have also begun to discuss how to apply existing international rules in the field of cybersecurity and whether new rules should be created.Unlike threats in the field of traditional security,activities in cyberspace by non-state actors transcend national borders,and the potential impact is huge.Therefore,it's urgent to discuss how to promote cooperation and reach consensus on the threat of cyberspace among stakeholders.This article will analyze the application of due diligence in the governance of international cyberspace.Although "due diligence" does not directly appear in treaties,the concept is evolving through judgments,resolutions,and doctrines.The principle of due diligence,as a general principle of law,is basically a consensus among Western international law scholars,but in the eyes of Chinese international law scholars,it is yet to be confirmed as a general principle of law.The Corfu Channel case confirms that the obligation of due diligence comes from the status of "knowing" that something could cause serious damage.This obligation is based on widely accepted international principles instead of principles that can only apply in specific circumstances.Therefore,the application of due diligence should not be extremely controversial.Rather,how to apply the obligation of due diligence is worthy of discussion.By definition,due diligence is taking appropriate measures to minimize damage.The International Law Commission tends to keep the definition broad.Since the application of due diligence differs under different circumstances,it's hard to come up with an exact definition.Regarding enforcing due diligence,this obligation emphasizes on taking appropriate measures to prevent major damages,instead of reaching certain goals.The measures taken should also be commensurate with the capabilities of each country.Since the definition,the scope of application,and the measures that will be taken are all dependent on the specific cases,therefore,the next section discusses the characteristics and difficulties of governing international cyberspace.Scholars disagree on the impact of varied technological capabilities.Some scholars claim that given that cyberattacks are"easy to conduct" but cybersecurity is "difficult to defend",even countries that are not technologically advanced may launch attacks with great impact.And countries that are technologically advanced may still have difficulties detecting certain intrusions.From a legal perspective,scholars dispute over "effective control" and "overall control" in terms of accountability.Standards also vary among cases and different scenarios.From the political perspective,if the government is behind a cyberattack or deploys proxies to act on their behalf,international cooperation and investigation that requires involvement of that government will not happen.Despite the difference,the international community has reached a consensus on combating cybercrimes.The expression of eliminating "safe havens" is highly relevant to the obligation of due diligence.The 2015 report of the United Nations Cyber Security Expert Group and the United Nations Open-Ended Working Group(OEWG)have repeatedly requested that countries not use their territories and equipment for wrongful acts and should minimize as many attacks as possible.The Tallinn Manual 2.0,compiled by scholars from many countries,summarizes the practice and trends of international law in the governing international cyberspace.Articles 6 and 7 directly refer to the obligation of due diligence.Article 6 states that countries need to assume the obligations of due diligence in cyberspace,but the Manuel does not further define controversial terms such as"control" and "knowingly".In application,the obligation of due diligence is very flexible,and relevant judgments and studies also mention the principles associated with due diligence when referring to the obligation.It's worth analyzing the relations respectively between due diligence and the principle of prevention,no harm principle,the obligation of informing and warning,the principle of non-interference in internal affairs,and the principle of cooperation and good faith.The precautionary principle stems from due diligence and is one way of enforcing due diligence;the realization of no harm prohibition requires due diligence,but only mandate measures taken against serious damages;"knowing" is the premise of informing and warning,and it is also an important part of due diligence;the more a government emphasizes on the principle of national sovereignty,the more the government would pay attention to due diligence because due diligence originates from the principle of sovereignty;lastly,performing the obligation of due diligence must follow the principles of cooperation and good faith.If originating countries and transiting countries do not have the sincerity to cooperate,then due diligence will be meaningless,since it's mostly an obligation of conduct instead of an obligation of result.In practice,the EU requires countries to introduce minimum standards and reporting requirements for information technology security,as well as regulations on cybersecurity-related legislation in various fields.There are also expressions of due diligence in China's Cyber Security Law.The flexible definition still makes it uncertain in practice.Scholars are also concerned that too much emphasis on due diligence at the national level may lead to violations of privacy.In general,how to urge countries to reach consensus without burdening countries beyond their capabilities remains the focus of international discussions.China should seize the opportunity,actively participate in the governance of international cyberspace,and propose a plan that is in line with China's strategic interest and beneficial to the governance of international cyberspace.