Cloud Hosting

In the past few months, nothing has reminded everyone of the etymology of the expression computer virus like ransomware. This form of malicious code is delivered through a vulnerability in the victims system, such as a phishing email or password spraying, infiltrating and potentially crippling it like a disease. Specifically, ransomware is used to encrypt user data and either delete or release that data unless a demand (commonly for money) is met. Ipso facto, ransomware causesby definitionadverse consequences for its intended and unintended targets. Even when the ransom is paid or the attackers demand is eventually met, frequently a portion of the encrypted data will have been lost anyway and the victim may be forced to stay offline for a while, incurring significant costs to repair or change its systems. Where the victim serves others, for example, providing public goods like healthcare, education, or utilities, the adverse consequences can quickly, and foreseeably, spread beyond the ransomwares initial targets. In other cases, the means by which ransomware is delivered especially when delivered through or as part of a digital supply chain attack can produce a range of cascade effects harming entities who were not the real target of the operation but nonetheless suffer its consequences.

Recent months saw asignificant surgein ransomware operations. For instance, in May 2021, Colonial Pipeline, a United States oil pipeline system carrying gasoline and jet fuel, was forced to halt its operations to ensure system safety following aransomware attack. As a result, there was panic buying and shortage of gasoline which led to the highest average gasoline prices in the US for seven years. The attack on the meat provider JBS has been connected to a rise in the price of beef and pork. In the United Kingdom,ransomware attackshave targeted the education sector with increasing frequency, leading to the loss of student coursework, school financial records and data relating to COVID-19 testing. The internal network of Brazils National Treasury was hit by ransomware in August 2021, and September saw a ransomware operation against South Africas Justice Department. It is no wonder that using an expression that has sadly become all too common we are witnessing a ransomware epidemic. The cost of this epidemic, both financially and otherwise, may be very high. According to recent reports, India saw a significant increase in the financial impact of ransomware operations: the approximate recovery cost from the impact of ransomware tripled in the last year, up from $1.1 million in 2020, to $3.38 million in 2021.

The ever-growing number of attacks and increased professionalization of actors behind ransomware operations call for robust action by states to meaningfully protect cyber infrastructure under their jurisdiction and control. Countering ransomware is not just a matter of national security and good governance. It is an obligation under international law, one highlighted in the latest, and fifth, Oxford Statement on the Protections of International Law in Cyberspace. Like previous iterations of the Oxford Process, the Fifth Statement aims to reflect existing principles and rules of international law in their application to cyber operations and to call upon all states and other international actors to abide by them. Previous Oxford Statements on international law protections in cyberspace have focused on the rules of international law when viewed from the perspective of objects or processes which deserve protection, e.g. the rules which apply to cyber operations that target the health sector, vaccine research, electoral processes. However, as with our Fourth Statement, which sets out rules relating to information operations and activities, the present Statement focuses on a specific type or method of cyber operation.

While it may appear obvious that states must not themselves engage in ransomware, calling into play a set of negative obligations under international law, this is just the starting point. Ransomware is a problem not only when state-directed or state-sponsored, but even when carried out by non-state actors and tolerated or acquiesced in by different states, including the one from which it originates. For this reason, all states have an obligation to give effect to the well-established rules of international law requiring them to adopt protective measures against the harm caused by ransomware operations which are carried out by others. Those impose obligations not only to take feasible measures to put an end to harm caused to the rights of other states but also to take measures to prevent the infringement of the human rights of persons within the state in question. Duties to protect against ransomware may be complied with in several ways, ranging from the investigation and punishment of those responsible for ransomware and the training of specialized cybersecurity personnel, to the adoption of technical measures to strengthen cyber infrastructure, international cooperation and information-sharing. We very much hope that the adoption of these and other measures against ransomware will constitute an effective remedy, if not a cure against the particularly pernicious form of cyber operation that ransomware embodies.

Our survey of existing international law whose results are enshrined in the Statement reproduced below reveals that there is no space for ransomware in a healthy, peaceful, and prosperous international community. All states are called upon to fully commit to this vision.

The Fifth Statement and its current signatories are reproduced below. As with other Statements, we seek the broadest possible support within the profession from across the globe. International lawyers who wish to append their name to the statement are invited to express their interest via email tooxfordcyberstatement {at} gmail(.)com.

The Oxford Process is convened under the auspices of the Oxford Institute for Ethics, Law and Armed Conflict whose work on international law in cyberspace is supported by funding from Microsoft and the Government of Japan.

THE OXFORD STATEMENT ON INTERNATIONAL LAW PROTECTIONS IN CYBERSPACE: THE REGULATION OF RANSOMWARE OPERATIONS

Reiterating the commitment expressed in the First, Second, Third and Fourth Oxford Statements to clarify rules of international law applicable in the use of information and communications technologies;

Noting that ransomware (i.e. malware designed to encrypt data and render it unavailable unless a demand is met) is a global threat, having been employed at an escalating pace by a growing number of malicious actors, including states and non-state groups for financial or political purposes, often connected to criminal and other unlawful activities such as terrorism, human and drug trafficking, money laundering, sanctions evasion, and the proliferation of weapons of mass destruction;

Stressing that the COVID-19 pandemic and our increased dependency on the Internet and other information and communications technologies have enhanced vulnerabilities to and opportunities for ransomware and other types of malware that facilitate its distribution, including the targeting of remote control or monitoring systems and the use of phishing emails, malicious websites or false notifications;

Considering that ransomware has, in the vast majority of cases where it has been employed, caused significant and widespread harm to public and private institutions, as well as individuals, such as financial loss, reputational damage, breach of confidentiality, and the significant disruption of critical infrastructure, including healthcare and education, while posing an imminent risk of destructive harm to industrial control systems such as electric grids, water distribution systems and nuclear power plants;

Bearing in mind that ransomware can take increasingly varied and sophisticated forms, including targeted and indiscriminate operations, and lead to the denial of access to and/or the unauthorized release of data if demands are not met;

We agree that:

Read the original:
Oxford Statement on International Law Protections in Cyberspace: The Regulation of Ransomware Operations - Just Security