Thu. Mar 28th, 2024

Developed through a project run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University, the Cyber Law Toolkit is designed to help legal practitioners with a working knowledge of international law consider precise and practical cyber scenarios based on real-life examples. One of the cyber scenarios highlighted in the Cyber Law Toolkit describes the potential use of ransomware against municipal governments and healthcare providers. Given the pandemic and recession constraints in today’s world, this scenario and its potential implications are more relevant than ever and worthy of consideration by legal, business, and information technology professionals.

Extract from the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE)*

Scenario 14: Ransomware Campaign

Municipal governments and health care providers in one State fall victim to a ransomware campaign launched by a non-State group in a second State. The ransomware campaign disables municipal and health care services in the first State. The scenario explores how the ransomware campaign may be classified under international law. It first considers whether the campaign is a breach of an international obligation attributable to a State. It then discusses the possible legal responses available to the victim State.

Scenario Facts

A previously unknown strain of ransomware is directed toward several municipal governments and a variety of health care services providers in State A through the use of phishing emails. Upon opening the emails by government and health care services employees, computer systems are affected. In a major metropolitan city in State A, the local court is forced offline because the ransomware has encrypted its computer systems and the police are forced to revert to using pen and paper to issue traffic citations. Moreover, police are unable to effectuate warrants and ongoing investigations into crimes must be postponed. Thousands of computers at the State A Department of Transportation stop working. Processing of applications for drivers’ licenses and permit renewals is halted. City authorities refuse to pay ransom to the attackers and are forced to spend considerable sums to repair and restore the affected computer systems.

The same ransomware infects hospital systems in a separate city in State A. Doctors are unable to access patient data stored digitally. Staff resort to using paper charts, transmitting messages in person and being able to perform only basic treatment without access to X-rays or ultrasound scans. The health records system of a major company incorporated in State A is also infected, leaving thousands of patient medical files inaccessible. The inaccessibility of patient data coupled with the disruption to the hospital computer systems results in the inability of the medical staff to perform critical surgeries. Patients are admitted to the emergency rooms when absolutely necessary, but cannot be operated on in a timely manner, resulting in several otherwise preventable injuries, but fortunately no loss of life. Lesser harm is caused to patients who cannot be given necessary medication because their medical records are inaccessible. A significant economic loss is caused by the need to reroute patients to other hospitals.

After several weeks, the ransomware attacks stop.

Authorities in State A determine that the ransomware was created by a group of hackers in State B. The hackers’ relationship to State B is not clear. However, the methodology utilized by the hackers bears a striking similarity to a previous cyber operation attributed to State B. Moreover, State B, while formally denying any involvement in the incidents, praises the actions of the hackers as a just and foreseeable reaction to what State B characterizes as State A’s foreign policy misdeeds. State A and State B have strained relations.

State A indicts the hackers, but State B does not cooperate in extraditing the hackers to State A for prosecution under criminal laws of State A for several reasons. Firstly, State B is prohibited by its constitution from extraditing its citizens for criminal prosecution in other States. Secondly, relations between State A and State B are such that, even in the absence of the foregoing reasons, State B would be disinclined to co-operate with State A. Finally, State media in State B has lauded the actions of the hackers as a just response to State A’s purported misdeeds.

Scenario Examples

Legal Analysis

The analysis in this scenario focuses on the legal qualification of the ransomware attacks from the perspective of international law. In particular, it examines whether the relevant conduct is attributable to State B and whether it amounts to a breach of an international obligation owed by State B to State A. It then discusses the possible legal responses available to the State A.

For the complete and detailed legal analysis with discussions of key terms, considerations, and checklists, visit the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDOE) blog at Cyberlaw.CCDCOE.org.

Read the complete scenario overview at Scenario 14: Ransomware Campaign


About the Cyber Law Toolkit and Project

The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia, and the project is run by a consortium of five partner institutions: Czech National Cyber and Information Security Agency (NCISA), International Committee of the Red Cross (ICRC), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), University of Exeter, and Wuhan University. The project team consists of Dr. Kubo Mačák (Exeter), General Editor, Mr. Tomáš Minárik (NCISA), Managing Editor, and Ms. Taťána Jančárková (NATO CCDCOE), Scenario Editor. The individual scenarios and the Toolkit have been reviewed by a team of more than 20 external experts and peer reviewers. The Toolkit is an interactive resource that is continuously developed and updated.

Learn more about the toolkit and project at Cyber Law Toolkit


Additional Reading

Source: ComplexDiscovery

* Redistributed with Permission Under the Creative Commons Attribution-ShareAlike 4.0 License

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.