Cyber Due Diligence

Reconstructing Cybersecurity Norms

Cybersecurity is widely considered one of the most pressing issues of our time. Cyber attacks target states, organisations, businesses and individuals across the globe. Despite the global character of the problem the international community and international law has so far struggled to stipulate specific rules to increase cybersecurity. In the absence of a multilateral cybersecurity treaty international law is widely conceived as underdeveloped, the doctrinal cybersecurity discourse seems deadlocked.

This dissertation will analyse the reasons for this deadlock and assess potential ways forward. To this end, it will analyse evolving state practice and assess to what extent the states’ resort to flexible, informal cooperation structures and the adoption of similar preventive legal and administrative measures points towards the evolution of a binding minimum standard of diligent state behaviour in cyberspace.

It will analyse the underlying international and transnational norms influencing such a dynamically evolving standard of diligence. The complex myriad of interrelated and overlapping formal and informal norms addressing cybersecurity necessitates a holistic analysis of both hard and soft law norms. These include both established international legal rules and principles – such as the due diligence or the precautionary principle or states’ obligations to protect human rights –  as well as non-binding documents – such as informal best-practice guides or technical standards of international organisations and private actors.

The project will assess which parametres of cybersecurity diligence meaningfully enhance international cybersecurity and if the criterion of bindingness is a helpful parametre to ascertain the effectiveness of cybersecurity standards and norms. Overall, this will allow to evaluate if the turn to flexible and procedural obligations can overcome some of the shortcomings of the fiercely contested doctrinal discourse on cybersecurity.