Due Diligence and the U.S. Defend Forward Cyber Strategy
As its name implies, the 2018 US Department of Defense Defend Forward strategy is principally reactive. The strategy assumes that the United States will continue to suffer harm from competitors and malign actors through cyberspace. Accordingly, it outlines US reactions in order to preempt threats, defeat ongoing harm, and deter future harm. Previous strategies have instructed similarly, but the 2018 National Cyber Strategy purports to reflect a strategic evolution in its overt commitment to countering cyber harm at its origin and to doing so not intermittently or episodically but on a “day-to-day” basis. Defending forward involves a wide range of cyber activities, but a defining feature will likely be routine nonconsensual cyber operations in the networks of hostile foreign governments and private actors.
These operations are sure to require technical, doctrinal, political, and even diplomatic reevaluations. But they also call for review of supporting international legal justifications. While a host of international law doctrines will be relevant to Defend Forward, the principle of due diligence is likely to play a significant role, in light of both the reactive nature of Defend Forward and the interconnected yet shadowy domain of cyberspace.
Well before the Defend Forward strategy or even cyberspace itself emerged, states developed the international law obligation of due diligence as an important regulation of international relations. In the incomplete and fragmented international legal system, due diligence has served as a general policing regime to manage and redress harm between states. At its most general level, due diligence requires states to take reasonable measures to put a stop to activities, whether private or public, within their borders that cause serious adverse consequences to other states. Breaches of due diligence do not require that harm be attributed to a state, only that a state knew of and failed to quell harm coming from its territory. International tribunals and publicists have repeatedly confirmed that breaches of due diligence entitle injured states to relief and reparations from offending states. Just as important, breaches of due diligence authorize victim states to react with a wide range of measures of self-correction from nondiligent states, including resorting to countermeasures.
This essay evaluates due diligence in light of the Defend Forward cyber strategy. It begins with a brief review of due diligence as an obligation of general international law, highlighting a broad base of support from international tribunals and commentators for due diligence as a freestanding rule of conduct. It then recounts recent efforts to apply due diligence to activities in cyberspace. Next, it reviews past US foreign relations experience with due diligence, including its invocation in international litigation and its use to generate favorable diplomatic outcomes. It concludes that positive US diplomatic and legal precedent counsel in favor of renewed recognition of due diligence as an obligation under general international law. It then examines how conceptions of due diligence may complement the Defend Forward strategy in cyberspace. Specifically, it suggests how the United States might best tailor a view on due diligence specific to activities in cyberspace and offer doctrinal refinements that might be acknowledged in light of the US Defend Forward strategy.