The paper examines the evolving concept of cybersecurity due diligence in the context of international law and cyber peace, addressing the obligations of states and private-sector entities to prevent cyber threats below the threshold of armed conflict. While the law of cyber war has been widely studied, the legal responsibilities for securing networks, preventing cyberattacks, and fostering a stable cyberspace remain underdeveloped. Drawing from the 2014 NIST Framework, industry best practices, and emerging national cybersecurity norms, this research advocates for a proactive cybersecurity due diligence regime that incorporates network resiliency, cyber threat intelligence sharing, penetration testing, and vulnerability disclosure mechanisms. The analysis explores customary international law, referencing the Corfu Channel case, and highlights the importance of harmonizing legal frameworks to establish a robust cybersecurity governance structure. It also examines best practices such as application whitelisting, software patching, and administrator privilege minimization, which have significantly reduced cyber risks. As international legal harmonization progresses, governments, corporations, and stakeholders—including Chief Information Security Officers (CISOs)—must collaborate to develop global cybersecurity norms informed by both legal principles and technical standards. The study underscores the necessity of public-private partnerships and interdisciplinary engagement to achieve cyber peace, mitigate cyber threats, and establish a sustainable, resilient digital ecosystem.
Author:
Scott J. Shackelford, J.D., Scott Russell, J.D., & Andreas Kuehn
