Developed through a project run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University, the Cyber Law Toolkit is designed to help legal practitioners with a working knowledge of international law consider precise and practical cyber scenarios based on real-life examples. One of the cyber scenarios highlighted in the Cyber Law Toolkit describes the potential use of ransomware against municipal governments and healthcare providers. Given the pandemic and recession constraints in today’s world, this scenario and its potential implications are more relevant than ever and worthy of consideration by legal, business, and information technology professionals.
Extract from the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE)*
Scenario 14: Ransomware Campaign
Municipal governments and health care providers in one State fall victim to a ransomware campaign launched by a non-State group in a second State. The ransomware campaign disables municipal and health care services in the first State. The scenario explores how the ransomware campaign may be classified under international law. It first considers whether the campaign is a breach of an international obligation attributable to a State. It then discusses the possible legal responses available to the victim State.
A previously unknown strain of ransomware is directed toward several municipal governments and a variety of health care services providers in State A through the use of phishing emails. Upon opening the emails by government and health care services employees, computer systems are affected. In a major metropolitan city in State A, the local court is forced offline because the ransomware has encrypted its computer systems and the police are forced to revert to using pen and paper to issue traffic citations. Moreover, police are unable to effectuate warrants and ongoing investigations into crimes must be postponed. Thousands of computers at the State A Department of Transportation stop working. Processing of applications for drivers’ licenses and permit renewals is halted. City authorities refuse to pay ransom to the attackers and are forced to spend considerable sums to repair and restore the affected computer systems.
The same ransomware infects hospital systems in a separate city in State A. Doctors are unable to access patient data stored digitally. Staff resort to using paper charts, transmitting messages in person and being able to perform only basic treatment without access to X-rays or ultrasound scans. The health records system of a major company incorporated in State A is also infected, leaving thousands of patient medical files inaccessible. The inaccessibility of patient data coupled with the disruption to the hospital computer systems results in the inability of the medical staff to perform critical surgeries. Patients are admitted to the emergency rooms when absolutely necessary, but cannot be operated on in a timely manner, resulting in several otherwise preventable injuries, but fortunately no loss of life. Lesser harm is caused to patients who cannot be given necessary medication because their medical records are inaccessible. A significant economic loss is caused by the need to reroute patients to other hospitals.
After several weeks, the ransomware attacks stop.
Authorities in State A determine that the ransomware was created by a group of hackers in State B. The hackers’ relationship to State B is not clear. However, the methodology utilized by the hackers bears a striking similarity to a previous cyber operation attributed to State B. Moreover, State B, while formally denying any involvement in the incidents, praises the actions of the hackers as a just and foreseeable reaction to what State B characterizes as State A’s foreign policy misdeeds. State A and State B have strained relations.
State A indicts the hackers, but State B does not cooperate in extraditing the hackers to State A for prosecution under criminal laws of State A for several reasons. Firstly, State B is prohibited by its constitution from extraditing its citizens for criminal prosecution in other States. Secondly, relations between State A and State B are such that, even in the absence of the foregoing reasons, State B would be disinclined to co-operate with State A. Finally, State media in State B has lauded the actions of the hackers as a just response to State A’s purported misdeeds.
- Sony Pictures Entertainment attack (2014)
- SamSam ransomware attack (2018)
- WannaCry (2017)
- NotPetya (2017)
- Texas Municipality ransomware attack (2019)
The analysis in this scenario focuses on the legal qualification of the ransomware attacks from the perspective of international law. In particular, it examines whether the relevant conduct is attributable to State B and whether it amounts to a breach of an international obligation owed by State B to State A. It then discusses the possible legal responses available to the State A.
For the complete and detailed legal analysis with discussions of key terms, considerations, and checklists, visit the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDOE) blog at Cyberlaw.CCDCOE.org.
About the Cyber Law Toolkit and Project
The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia, and the project is run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University. The project team consists of Dr. Kubo Mačák (Exeter), General Editor, Mr. Tomáš Minárik (NCISA), Managing Editor, and Ms. Taťána Jančárková (NATO CCDCOE), Scenario Editor. The individual scenarios and the Toolkit have been reviewed by a team of more than 20 external experts and peer reviewers. The Toolkit is an interactive resource that is continuously developed and updated.
- Chinese Military Personnel Charged with Equifax Hacking
- Estonia and the United States to Build a Joint Cyber Threat Intelligence Platform
* Redistributed with Permission Under the Creative Commons Attribution-ShareAlike 4.0 License