Rarely does a day go by in which some variety of cyber attack is not front-page news. From Ashley Madison and the U.S. Office of Personnel Management to Sony, Saudi Aramco, and the Ukraine crisis, cybersecurity is increasingly taking center stage in diverse arenas of geopolitics, international economics, security, and law. But despite the increasing proliferation of these incidents, the field of international cybersecurity law and policy remains relatively immature, especially as it relates to cybersecurity due diligence.
What is cybersecurity due diligence? The term has been defined as “the review of the governance, processes and controls that are used to secure information assets.” Such due diligence obligations may exist between states, between non-state actors (e.g., private corporations), and between state and non-state actors.
International law, while informative, does not spell out how nations (or companies under their jurisdiction) should go about enhancing their cybersecurity to account for emerging due diligence obligations. There’s currently no consensus from the International Court of Justice or elsewhere, for example, on when neutral transit countries must police their networks such as by blocking cyber attacks. As a result, it’s helpful to consider what leading nations and firms are doing in this regard. To that end, we analyzed how three leading cyber powers–the U.S., China, and Germany–are approaching this topic.