CC BY
6
УДК 341.1/8
Озинковская-Бюрабекова Е. В. студент магистрант Университет КазГЮУ Казахстан, г. Астана ПРИМЕНЕНИЕ ПРИНЦИПА ДОЛЖНОЙ ОТВЕТСТВЕННОСТИ В
КИБЕР КОНТЕКСТЕ
Аннотация: В этой статье рассматривается вопрос об обязательстве должной ответственности и его применимости к кибер операциям. Для целей данной статьи обязательство должной ответственности следует понимать, как принцип. В ходе анализа данной проблемы рассматриваются примеры принципа должной ответственности выходящие из двусторонних и многосторонних договоров, а также представлен анализ принципа должной ответственности негосударственных субъектов. Кроме того, в статье оценивается порог ущерба от кибер атак.
Ключевые слова: принцип должной ответственности, двусторонние и многосторонние договоры, негосударственные субъекты, порог ущерба, кибер.
Ozinkovskaya-Byurabekova E. V., master's student
KazGUU University Kazakhstan, Astana
APPLICATION OF DUE DILIGENCE PRINCIPLE IN THE CYBER
CONTEXT
Abstract. This article examines the issue of due diligence obligation and its applicability to the cyber operations. For the purposes of this article, due diligence obligation should be understood as the due diligence principle. The article considers due diligence obligations from bilateral and multilateral treaties. This paper also presents the due diligence obligations of non-State actors. Additionally, the threshold of harm from cyber operations is evaluated.
Keywords: due diligence, bilateral and multilateral treaties, non-State actors, threshold of harm, cyber.
Due diligence is the principle which is usually applies with respect to the obligation of State to monitor and administrate activities on its territory as came whom the maxim of Sic Utere Tuo Ut Alienum Non Laedas which actually represents "use your property as not to harm another". 166 It was used in Corfu Channel judgment where the explosion of mines caused in the death of British nationals. The explosion took place in the Albanian waters and the United Kingdom claimed that Albania was responsible for it. Albania insisted that the mines were left by the third party. The International Court of Justice in this
166 Law J., Martin E. A. A Dictionary of Law. O.: Oxford University Press, 2009. p. 704.
judgement stated that it is a general international law principle that each State is obliged to not to permit and admit knowingly to use its territory for activities which will be unlawful under international law.167 Thus, in cyber context, due diligence obligation should be interpreted as the principle stating that States must not allow to employ its territory as well as its cyber infrastructure which those States govern for cyber attacks which may cause harm and damages, produce serious consequences and affect the rights of other States. Moreover, it is important to note, that due diligence obligation will encompasses not only cyber infrastructure located on the State's territory, but also people conducting and involved in cyber attack as the obligation has an application throughout all the territory under the State's sovereign rights.
Due diligence obligations may also arise from the bilateral and multilateral treaties. For example, if State A and B have a bilateral international agreement between them stating that they should not conduct espionage against each other. On the other hand, the question of due diligence obligation may arises only when the action of the State is unlawful under international law. Thus, considering the situation, State A, despite on the agreement, decides to employ specialists and cyber infrastructure located in State C in order to conduct espionage activities against aforementioned State B. While State A is under obligation not to engage in espionage against State B, the State C is under no such obligation. Therefore, State C may continue to conduct cyber operations despite of due diligence obligation because, first of all, it is not a Party to the treaty and secondly, espionage does not violate international law.
Considering the situation of the applicability of due diligence obligation to non-State actors. For example, a private company may do the things in the cyber space which will cause harm or damages to the other State. Consider a company like WikiLeaks. WikiLeaks is a company, which takes the important information from the different sources as well as through hacking and publishes it on its website. Even if such publications would cause serious harm and produce dramatic consequences for that State whose information and secrets were released, the State may not call upon due diligence obligation for the State where that information was published. Such State is not obliged to remove the information because there is no international law right of the first State which was breached and non-State actors did not act on behalf of the State, unless the attribution is proved.
Rather than the attribution, the threshold of harm is the problem of due diligence as it is unsettled in international law.168 The due diligence applies in situations involving serious harm and consequences. Nevertheless, there is no precise test to identify the threshold for such outcomes. Moreover, not every harm and even not every use of one State's territory with negative outcomes for another would be enough for implication of due diligence. For instance, considering the
167 Corfu Channel Case (United Kingdom v. Albania), Judgment of 15 December 1949, I.C.J Rep. 4. p. 21.
168 Trail Smelter Case (United States, Canada), 3 UNRIAA.
situation when the hackers take control over some official website of one State and gain access to its information. Even if the hackers would block the website but in result it would not cause sufficient harm for the State in overall and would not affect its critical infrastructure of the territorial State, such cyber attack will not be stopped with regard to due diligence.
However, if it possible to meet the threshold of harm, it does not matter where the harm takes place. Consider the situation where one State agreed with another State that it will store its important government data of the servers of the second State. The group of hackers thought the third State conducts cyber attack on the servers where the data located and destroys it. Thus, the hackers make such harm where it is impossible for the first State for operate. In this situation, the third State will be under die diligence obligation with respect to the first State because its territory was used in order to cause harm to another State.
Whereas it is important to evaluate the level of harm and the role of each State and its non-State actors in the cyber operations, it is also relevant to mention that the knowledge element of due diligence is essential. As it was previously mentioned, the State has an obligation not to allow its territory knowingly. In other words, the State should has an actual knowledge that someone else is using its territory. In order to illustrate, it will be possible for the State to has such a knowledge if intelligence agents of the State would detect suspicious cyber activity which comes from their territory but not from the authorised source. Another example of knowledge it is when the State receives truthful information from the credible source that someone is using that State's critical infrastructure. On the other hand, it may be difficult to prove that the State knew about the cyber activities which were taken from its territory, especially for the injured State. Nevertheless, in aforementioned Corfu Channel case, defendant denied that it knew about the activities of the third party on its territory. In response, the International Court of Justice stated that defendant as a State must have known about the activities as it has sovereign rights over its territory and obligation to control it.169 Also, Judge Alvarez in its separate opinion concluded that States have a duty to know about unlawful acts there where its authorities are located.170 Thus, it is how the knowledge requirement was proved. Additionally, it is important to note, that the governmental cyber infrastructure is easier to control than the private one, consequently the requirement of knowledge is more likely to satisfy.
For a State in order to comply with the due diligence principle, the State should take all measures which are possible to do easily in order to stop cyber operations that cause a serious affect.171 It means that as soon as the State received an information from the third party or acquired the knowledge itself
169 Corfu Channel Case (United Kingdom v. Albania), Judgment of 15 December 1949, I.C.J Rep. 4. p. 22.
170 Separate Opinion of Judge Alvarez, Corfu Channel Case (United Kingdom v. Albania), I.C.J Rep. 4.
171 Ziolkowski K. General principles of international law as applicable in cyberspace, in peacetime regime for state activities in cyberspace: international law, international relations and diplomacy. NATO CCD COE Publication. 2013. p. 746.
about the activities in its territory which is unlawful under international law, the State must take reasonable measures towards these harmful for another States activities. Otherwise the principle will be violated if the State stands idle. Moreover, if the State takes ineffective measures while it has an opportunity to use the appropriate ones and they are available for the State, such actions will be also qualified as an omission. Interesting to note that if the national legislation of the State which territory is used for the unlawful activities has the limits on what this State can do in such situations, it will be an excuse for the State not to fulfil its due diligence obligation. It is still will be considered as the State's inaction. That is why the principle includes the measures which should be feasible. However, the interesting question arises whether it is possible to use harsh measure to stop the cyber operation if it will be more accurate and effective than the other measures. The State must take all measures feasible in order to stop wrongful operation, but it is the State's right to choose the measures it considers appropriate. For example, if State may stop the cyber operation by arresting the people involved in it, the State must take these measures when it is reasonable. If the only way to stop the cyber attack is to compel specialists to gain an access to the terrorist cyber infrastructure it will fulfil the obligation of the State to terminate the wrongful operation.
As the due diligence principle requires to take measures to stop the wrongful activities, it is relevant to analyse the possibility of implication of preventive measures. Preventive measures may be viewed as improvement of national legislation in cyber space area or hardening the requirements for safety for national internet providers in order to make the State and its cyber infrastructure harder to hack and use and reduce the risk of future cyber attacks to that State. Nevertheless, it all may not act as a requirement for the due diligence. The cyber space is very difficult area even now in the 21st century. It is still problematic to control it. Thus, such a problem of control leads to the point that the preventive measures are not a requirement because it does not equal to effective measures. For instance, while the State will take preventive measures and defend itself from one type of malware, the activists in the cyber space will create the new one. If such a requirement would exist, it would create unneeded responsibility for States. While the preventive measures are not a requirement of the due diligence principle, it may seem like monitoring and checking cyber operations on the territory of the State is not a requirement too. For many it may also lead to the conclusion that in such situation the knowledge requirement will be far more harder to prove. However, the States still will be able to know about the possible wrongful activities of the third party on its territory because the States have to control and monitor its cyber infrastructures in order to defend itself first of all. All the more so, when hackers can make cyber operation from the State, one day they may conduct it against this State. This is in the interests of any State to monitor its territory in cyber means.
Taking everything into account, it is clear that the issue is very difficult and international law is only trying to regulate the area of cyber space at the moment.
This sphere will experience many changes in the future. As well as many other principles of international law applicable to cyber space, due diligence will evolve.
Bibliography:
1. Corfu Channel Case (United Kingdom v. Albania), Judgment of 15 December 1949, I.C.J Rep. 4. — 21 p.
2. Trail Smelter Case (United States, Canada), 3 UNRIAA. — 154 p.
3. Separate Opinion of Judge Alvarez, Corfu Channel Case (United Kingdom v. Albania), I.C.J Rep. 4. — 22 p.
4. Law J. A Dictionary of Law/ J. Law, E. A. Martin. — Oxford University Press, 2009. — 704 p.
5. Ziolkowski, K. General principles of international law as applicable in cyberspace, in peacetime regime for state activities in cyberspace: international law, international relations and diplomacy. — NATO CCD COE Publication, 2013. — 746 p.
УДК 347.96
Солодянкина Д. С. Студент магистрант 2 курса Санкт-Петербургский юридический институт (филиал) Университета прокуратуры Российской Федерации
Россия, г. Санкт-Петербург О ПРОТИВОДЕЙСТВИИ РАСПРОСТРАНЕНИЮ СВЕДЕНИЙ О КРИМИНАЛЬНЫХ СУБКУЛЬТУРАХ В СРЕДЕ НЕСОВЕРШЕННОЛЕТНИХ Аннотация: В статье рассматривается влияние криминальной субкультуры «АУЕ» с точки зрения распространения вредоносной информации в сети «Интернет». Анализируется вопрос правового регулирования и проблемы определения вида такой информации, а также необходимые меры реагирования со стороны правоохранительных органов и органов прокуратуры.
Ключевые слова: несовершеннолетние, «АУЕ», криминальная субкультура, прокурор.
Solodyankina D.S. second year master student St. Petersburg Law Institute (branch) of the University of the Prosecutor's
Office of the Russian Federation Russia, Saint-Petersburg ABOUT COUNTERING THE DISSEMINATION OF INFORMATION ON CRIMINAL SUBCULTURES IN THE MIDDLE OF
MINORS
Annotation: The article examines the influence of the criminal subculture «AUE» from the point of view of spreading malicious information in the «Internet» network. The issue of legal regulation and the problem of determining
