The due diligence doctrine under Tallinn Manual 2.0

The Tallinn Manual represents, perhaps, the authoritative statement of international legal norms in cyberspace. Recently, the International Group of Experts, sponsored by NATO CCD COE, completed version 2.0 of the project, delineating revised norms for non-egregious cyberattacks which occur in 'peacetime'. Notably, Tallinn Manual 2.0 ('the Manual') elaborates on the scope of a state's due diligence obligations in cyberspace, in respect of cyberattacks which would constitute internationally wrongful acts and cause 'serious adverse consequences.' But, as one editor of the Manual acknowledged, some states 'pushed back' on the Manual's finding that a due diligence obligation should be shouldered by all states. The present comment will address the contents of Rules 6 and 7 (the due diligence rules). Specifically, I shall examine the merits of: (1) the harm threshold to trigger due diligence; (2) the knowledge threshold to trigger states' due diligence; (3) compliance with due diligence; and (4) preventive duties, as these elements are set out in the Manual. This comment shall then conclude with some reasons behind the reluctance of states to adopt the due diligence principle in cyberspace, including states' motivations in favouring an unregulated cyberspace.