The threat of cyber-inflicted disaster looms large. Yet there are few bespoke rules of international law governing cyber threats, and little prospect of new ‘cyber law’ emerging. The common approach to dealing with large-scale cyber threats has thus been to apply the existing prohibition of the use of force. It is no simple matter to apply the prohibition to cyber-attacks, however. Applying the prohibition also involves significant attribution problems, and it covers neither cyber-attacks perpetrated by non-state actors nor unintended cyber harm. It is therefore argued that the focus should be reoriented to another existing international legal obligation: the duty of due diligence. This duty has been applied successfully to other issues of international concern, and its application to cyberspace would remedy (or minimise) the issues associated with applying the prohibition of the use of force. The duty can act as a more effective means of trying to prevent cyber disasters.