Breaking News

The Regulation of Ransomware Operations

The Regulation of Ransomware Operations

In the past few months, nothing has reminded everyone of the etymology of the expression “computer virus” like ransomware. This form of malicious code is delivered through a vulnerability in the victim’s system, such as a phishing email or password spraying, infiltrating and potentially crippling it like a disease. Specifically, ransomware is used to encrypt user data and either delete or release that data unless a demand (commonly for money) is met. Ipso facto, ransomware causes by definition adverse consequences for its intended and unintended targets. Even when the ransom is paid or the attacker’s demand is eventually met, frequently a portion of the encrypted data will have been lost anyway and the victim may be forced to stay offline for a while, incurring significant costs to repair or change its systems. Where the victim serves others, for example, providing public goods like healthcare, education, or utilities, the adverse consequences can quickly, and foreseeably, spread beyond the ransomware’s initial targets.  In other cases, the means by which ransomware is delivered — especially when delivered through or as part of a digital supply chain attack — can produce a range of cascade effects harming entities who were not the “real” target of the operation but nonetheless suffer its consequences.

Recent months saw a significant surge in ransomware operations. For instance, in May 2021, Colonial Pipeline, a United States oil pipeline system carrying gasoline and jet fuel, was forced to halt its operations to ensure system safety following a ransomware attack. As a result, there was panic buying and shortage of gasoline which led to the highest average gasoline prices in the US for seven years. The attack on the meat provider JBS has been connected to a rise in the price of beef and pork. In the United Kingdom, ransomware attacks have targeted the education sector with increasing frequency, leading to the loss of student coursework, school financial records and data relating to COVID-19 testing. The internal network of Brazil’s National Treasury was hit by ransomware in August 2021, and September saw a ransomware operation against South Africa’s Justice Department. It is no wonder that — using an expression that has sadly become all too common — we are witnessing a “ransomware epidemic.” The cost of this epidemic, both financially and otherwise, may be very high. According to recent reports, India saw a significant increase in the financial impact of ransomware operations: the approximate recovery cost from the impact of ransomware tripled in the last year, up from $1.1 million in 2020, to $3.38 in 2021.

The ever-growing number of attacks and increased professionalization of actors behind ransomware operations call for robust action by states to meaningfully protect cyber infrastructure under their jurisdiction and control. Countering ransomware is not just a matter of national security and good governance. It is an obligation under international law, one highlighted in the latest, and fifth, Oxford Statement on the Protections of International Law in cyberspace. Like previous iterations of the Oxford Process, the Fifth Statement aims to reflect existing principles and rules of international law in their application to cyber operations and to call upon all states and other international actors to abide by them. Previous Oxford Statements on international law protections in cyberspace have focused on the rules of international law when viewed from the perspective of objects or processes which deserve protection, e.g. the rules which apply to cyber operations that target the health sector, vaccine research, electoral processes. However, as with our Fourth Statement, which sets out rules relating to information operations and activities, the present Statement focuses on a specific type or method of cyber operation.

While it may appear obvious that states must not themselves engage in ransomware, calling into play a set of negative obligations under international law, this is just the starting point. Ransomware is a problem not only when state-directed or state-sponsored, but even when carried out by non-state actors and tolerated or acquiesced in by different states, including the one from which it originates. For this reason, all states have an obligation to give effect to the well-established rules of international law requiring them to adopt protective measures against the harm caused by ransomware operations which are carried out by others. Those impose obligations not only to take feasible measures to put an end to harm caused to the rights of other states but also to take measures to prevent the infringement of the human rights of persons within the state in question. Duties to protect against ransomware may be complied with in several ways, ranging from the investigation and punishment of those responsible for ransomware and the training of specialized cybersecurity personnel, to the adoption of technical measures to strengthen cyber infrastructure, international cooperation and information-sharing. We very much hope that the adoption of these and other measures against ransomware will constitute an effective remedy, if not a cure against the particularly pernicious form of cyber operation that ransomware embodies.

Our survey of existing international law — whose results are enshrined in the Statement reproduced below — reveals that there is no space for ransomware in a healthy, peaceful, and prosperous international community. All states are called upon to fully commit to this vision.

The Fifth Statement and its current signatories are reproduced below. As with other Statements, we seek the broadest possible support within the profession from across the globe.  International lawyers who wish to append their name to the statement are invited to express their interest via email to oxfordcyberstatement at gmail(.)com.

The Oxford Process is convened under the auspices of the Oxford Institute for Ethics, Law and Armed Conflict whose work on international law in cyberspace is supported by funding from Microsoft and the Government of Japan.

 

THE OXFORD STATEMENT ON INTERNATIONAL LAW PROTECTIONS IN CYBERSPACE: THE REGULATION OF RANSOMWARE OPERATIONS

Reiterating the commitment expressed in the First, Second, Third and Fourth Oxford Statements to clarify rules of international law applicable in the use of information and communications technologies;

Noting that ransomware (i.e. malware designed to encrypt data and render it unavailable unless a demand is met) is a global threat, having been employed at an escalating pace by a growing number of malicious actors, including states and non-state groups for financial or political purposes, often connected to criminal and other unlawful activities such as terrorism, human and drug trafficking, money laundering, sanctions evasion, and the proliferation of weapons of mass destruction;

Stressing that the COVID-19 pandemic and our increased dependency on the Internet and other information and communications technologies have enhanced vulnerabilities to and opportunities for ransomware and other types of malware that facilitate its distribution, including the targeting of remote control or monitoring systems and the use of phishing emails, malicious websites or false notifications;

Considering that ransomware has, in the vast majority of cases where it has been employed, caused significant and widespread harm to public and private institutions, as well as individuals, such as financial loss, reputational damage, breach of confidentiality, and the significant disruption of critical infrastructure, including healthcare and education, while posing an imminent risk of destructive harm to industrial control systems such as electric grids, water distribution systems and nuclear power plants;

Bearing in mind that ransomware can take increasingly varied and sophisticated forms, including targeted and indiscriminate operations, and lead to the denial of access to and/or the unauthorized release of data if demands are not met;

We agree that:

  1. Conduct carried out through information and communications technologies, such as ransomware operations, is regulated by international law.
  2. States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations which violate the principles of sovereignty or non-intervention in a state’s internal or external affairs, or amount to a prohibited threat or use of force within the meaning of the Charter of the United Nations. In particular, states must refrain from ransomware operations which are aimed at or result in disruption to electoral systems, healthcare, electric grids, water distribution systems, and nuclear power plants.
  3. States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations that result in violations of the human rights of individuals within their jurisdiction, such as the right to life, health, private life, education, property, freedoms of thought and opinion, freedom of expression, including the freedom to seek, receive and impart information and ideas of all kinds.
  4. a) States must not allow their territory or infrastructure under their jurisdiction or control to be used by states or non-state actors for ransomware operations that are contrary to the rights of other states, when the former states know or should know of such operations.
  5. b) To discharge those duties, states from which ransomware operation emanates, in full or in part, must take feasible measures to stop such operations and otherwise address the situation. Such measures may include the conduct of investigations, the adoption of legal and technical measures, as well as cooperation with other states. Any measures taken in this regard must be compliant with applicable obligations under international law, including international human rights law.
  6. States must take measures to protect the human rights of individuals within their jurisdiction from harmful ransomware operations, including when such operations are carried out by other states and non-state actors. To discharge this obligation, states may, among other measures, prohibit ransomware by law, take feasible steps to stop ransomware operations, mitigate their effects, investigate and punish those responsible, as well as prevent and suppress ransom payments to the extent possible. Where such protective measures interfere with other human rights, they must conform with applicable legal requirements, such as legitimate purpose, legality, necessity, proportionality and non-discrimination.
  7. The use of ransomware during armed conflict is subject to the applicable rules of international humanitarian law (IHL). These rules include, but are not limited to, the duty to respect and ensure respect for IHL, which entails an obligation to prevent violations of IHL; the duties to respect and to protect specific actors or objects, including medical personnel and facilities and humanitarian personnel and consignments; the duties concerning objects indispensable to the survival of the civilian population as well as those concerning works and installations containing dangerous forces; and other rules on the protection of civilians, civilian objects, and of persons who no longer participate in hostilities, such as the sick, wounded, and prisoners of war.
  8. The use of ransomware will amount to international crimes, such as genocide, war crimes and crimes against humanity, where the elements of those crimes are fulfilled.
  9. The application of the aforementioned rules is without prejudice to any other applicable rules of international law that provide protections against ransomware and related activities.

 

  1. Dapo Akande, Professor of Public International Law, Co-Director, Oxford Institute for Ethics, Law & Armed Conflict (ELAC), University of Oxford
  2. Mariana Salazar Albornoz, Member, Inter-American Juridical Committee (OAS) and Professor of International Law, Universidad Iberoamericana, Mexico City
  3. Kai Ambos, Professor and Chair of Criminal Law, Procedure, Comparative Law, International Criminal Law and Public International Law, Georg August Universität Göttingen, Germany
  4. Joshua Andresen, Deputy Head of School and Reader in National Security and Foreign Relations Law, School of Law, University of Surrey
  5. Pouria Askary, Associate Professor of International Law, Allameh Tabataba’i University
  6. William Banks, Board of Advisers Distinguished Professor, Syracuse University College of Law
  7. Richard Barnes, Professor, The University of Lincoln
  8. Orna Ben-Naftali, Professor of Law and Emile Zola Chair for Human Rights, The Striks Law Faculty, The College of Management Academic Studies, Israel
  9. Nehal Bhuta, Chair of Public International Law, University of Edinburgh
  10. Ziv Bohrer, Senior Lecturer in International Law, Faculty of Law, Bar-Ilan University
  11. Michael Bothe, Professor emeritus of Public Law, J.W. Goethe University, Frankfurt/Main
  12. Tomer Broude, Professor, Bessie & Michael Greenblatt, Q.C., Chair in Public and International Law, Faculty of Law and Department of International Relations, Hebrew University of Jerusalem
  13. Chester Brown, Professor of International Law and International Arbitration, Sydney Law School, University of Sydney
  14. Russell Buchan, Senior Lecturer in Law, University of Sheffield
  15. Michael Byers, Professor & Canada Research Chair in Global Politics and International Law, University of British Columbia
  16. Nicolás Carrillo Santarelli, Associate Researcher, Institute of Human Rights at Business, UDEM University of Monterrey
  17. Alejandro Chehtman, Professor of Law, Universidad Torcuato Di Tella (Argentina)
  18. Roger S. Clark, Board of Governors Professor Emeritus, Rutgers Law School, Camden, New Jersey
  19. Antonio Coco, Lecturer in Public International Law, University of Essex and Visiting Fellow at ELAC, University of Oxford
  20. Emily Crawford, Professor, The University of Sydney Law School
  21. Rebecca Crootof, Assistant Professor of Law, University of Richmond School of Law
  22. Federica D’Alessandra, Executive Director of the Oxford Programme on International Peace and Security, Blavatnik School of Government, University of Oxford
  23. Tom Dannenbaum, Assistant Professor of International Law, The Fletcher School of Law & Diplomacy, Tufts
  24. Margaret M. deGuzman, James E. Beasley Professor of Law, Temple University Beasley School of Law
  25. François Delerue, Senior Researcher in Cybersecurity Governance, Leiden University
  26. Diane A. Desierto, Professor of Law and Global Affairs, Faculty Director of LLM Program in International Human Rights, Notre Dame Law School and Keough School of Global Affairs, University of Notre Dame (USA)
  27. Talita Dias, Shaw Foundation Junior Research Fellow, Jesus College; Research Fellow, ELAC, University of Oxford
  28. William S. Dodge, Martin Luther King, Jr. Professor of Law and John D. Ayer Chair in Business Law, University of California, Davis, School of Law
  29. Jessica Dorsey, Assistant Professor of International and European Law, Utrecht University School of Law
  30. Pavan Duggal, Chairman, International Commission on Cyber Security Law; Founder-cum-Honorary Chancellor, Cyberlaw University; Advocate, Supreme Court of India
  31. Jeffrey L. Dunoff, Laura H. Carnell Professor of Law, Temple University Beasley School of Law
  32. Max du Plessis, Senior Counsel and Barrister, South Africa, Adjunct Professor, University of Cape Town and Nelson Mandela University
  33. Kristen E. Eichensehr, Martha Lubin Karsh and Bruce A. Karsh Bicentennial Professor of Law, University of Virginia School of Law
  34. Martin Faix, Senior Lecturer in International Law, Palacký University Olomouc/Charles University in Prague
  35. Tom Farer, Dean Emeritus and University Professor, Josef Korbel School of International Studies, University of Denver
  36. David P. Fidler, Senior Fellow for Cybersecurity and Global Health, Council on Foreign Relations (USA)
  37. Malgosia Fitzmaurice, Professor of International Law, Queen Mary University of London
  38. Micaela Frulli, Professor, Law Department, DSG, Università di Firenze
  39. Geoff Gilbert, Professor of International Human Rights & Humanitarian Law, School of Law and Human Rights Centre, University of Essex
  40. Chiara Giorgetti, Professor of Law, Richmond Law School, Richmond (VA,USA)
  41. Richard J. Goldstone, Retired Justice of the Constitutional Court of South Africa, former Chief Prosecutor of the ICTY and ICTR
  42. Guy S. Goodwin-Gill, Professor, Faculty of Law & Justice, University of New South Wales (UNSW); Andrew & Renata Kaldor Centre for International Refugee Law, UNSW; Emeritus Fellow, All Souls College, Oxford
  43. Gregory S. Gordon, Professor of Law, The Chinese University of Hong Kong Faculty of Law
  44. James A. Green, Professor of Public International Law, Head of Research, Bristol Law School, OWE Bristol
  45. Douglas Guilfoyle, Associate Professor of International and Security Law, University of New South Wales Canberra
  46. Oleg Gushchyn, Professor, Military Law Department, Taras Shevchenko National University of Kyiv, Ukraine
  47. Yael Vias Gvirsman, Director of the International Criminal and Humanitarian Law Clinic, Harry Radzyner Law School, Reichman University, Attorney and Consultant specializing in International Law
  48. Steven Haines, Professor of Public International Law, University of Greenwich
  49. Monica Hakimi, James V. Campbell Professor of Law, University of Michigan Law School
  50. Adil Haque, Professor of Law and Judge Jon O. Newman Scholar, Rutgers Law School
  51. Mohamed S. Helal, Associate Professor of Law, The Ohio State University; Member, Permanent Court of Arbitration; Member, African Union Commission on International Law
  52. Kevin Jon Heller, Professor of International Law and Security, University of Copenhagen (Centre for Military Studies); Professor of Law, Australian National University
  53. Christian Henderson, Professor of International Law, University of Sussex
  54. Stacey Henderson, Lecturer, Adelaide Law School, The University of Adelaide
  55. Duncan B. Hollis, Laura H. Carnell Professor of Law, Temple University School of Law
  56. María José Cervell Hortal, Professor of Public International Law and International Relations, University of Murcia, Spain
  57. Deborah Housen-Couriel, The Federmann Cyber Security Research Center at the Hebrew University of Jerusalem; Chief Legal Officer and VP Regulation at Konfidas Digital Ltd
  58. Karen Hulme, Professor of Law, University of Essex, United Kingdom
  59. Eric Talbot Jensen, Robert W. Barker Professor of Law, Brigham Young University
  60. Derek Jinks, A.W. Walker Centennial Chair in Law, University of Texas School of Law
  61. Kate Jones, Associate Fellow, Chatham House
  62. Ido Kilovaty, Associate Professor of Law, University of Tulsa College of Law
  63. Pierre Klein, Professor, Université libre de Bruxelles
  64. Robert Kolb, Professor of Public international law, University of Geneva
  65. Leonhard Kreuzer, Research Fellow, Max Planck Institute for Comparative Public Law and International Law, Heidelberg, Germany
  66. Joanna Kulesza, tenured Professor of International Law and Internet Governance, University of Lodz, Poland
  67. Masahiro Kurosaki, Associate Professor of International Law and Director of the Study of Law, Security and Military Operations, National Defense Academy of Japan
  68. Henning Lahmann, Hauser Global Postdoctoral Fellow, NYU School of Law
  69. Eliav Lieblich, Professor of Law, Buchmann Faculty of Law, Tel Aviv University
  70. Noam Lubell, Professor of International Law, Director of the Essex Armed Conflict and Crisis Hub, School of Law & Human Rights Centre, University of Essex
  71. Asaf Lubin, Associate Professor of Law, Indiana University Maurer School of Law; Faculty Associate, Berkman Klein Center for Internet and Society, Harvard Law School; Affiliated Fellow, Information Society Project, Yale Law School
  1. Kubo Mačák, Legal Adviser, Legal Division, International Committee of the Red Cross
  2. Fabrizio Marrella, Full Professor of International Law and Vice Rector for International Relations and International Cooperation, “Ca’ Foscari” University of Venice, Italy; Professeur invité, Sorbonne Law School
  3. Errol P. Mendes, Full professor of constitutional and international law, University of Ottawa, Canada; President, International Commission of Jurists, Canadian Section
  4. Tomohiro Mikanagi, Ministry of Foreign Affairs, Japan
  5. Marko Milanovic, Professor of Public International Law, University of Nottingham School of Law
  6. Lindsay Moir, Professor of International Law, University of Hull Law School
  7. Evgeni Moyakine, Assistant Professor, Section IT Law / STeP Research Group, Faculty of Law, University of Groningen
  8. Harriet Moynihan, Acting Director, International Law Programme, Chatham House (Royal Institute of International Affairs)
  9. Roda Mushkat, Professor of International Law, Johns Hopkins University, Paul H. Nitze School of Advanced International Studies (SAIS)
  10. James C. O’Brien, Vice-Chair, Albright Stonebridge Group
  11. Mary Ellen O’Connell, Robert and Marion Short Professor of Law and Research Professor of International Dispute Resolution, Kroc Institute for International Peace Studies, University of Notre Dame
  12. Stefan Oeter, Professor of public International Law and Director of the Institute of International Affairs, Faculty of Law, University of Hamburg
  13. Obiora C. Okafor, Edward B. Burling Chair in International Law and Institutions, School of Advanced International Studies, Johns Hopkins University, Washington DC, USA
  14. Roger O’Keefe, Professor of International Law, Bocconi University
  15. Inger Österdahl, Professor in Public International Law, Faculty of Law, Uppsala University
  16. Bruce Oswald, Professorial Fellow, Melbourne Law School, University of Melbourne
  17. Jordan J. Paust, Professor Emeritus, University of Houston Law Center
  18. Sejal Parmar, Lecturer, School of Law, University of Sheffield
  19. Anni Pues, Lecturer in International Law, Glasgow Centre for International Law and Security, University of Glasgow
  20. José Antonio Moreno Rodríguez, Arbitrator, Permanent Court of Arbitration; Member, Inter-American Juridical Committee of the Organization of American States
  21. Przemysław Roguski, Lecturer in Law, Jagiellonian University in Kraków, Poland
  22. Barrie Sander, Assistant Professor, Leiden University – Faculty of Governance and Global Affairs
  23. Andrew Sanger, University Lecturer in International Law, University of Cambridge
  24. Marco Sassòli, professor of international law, University of Geneva, Switzerland
  25. Ben Saul, Challis Chair of International Law, The University of Sydney
  26. Sergey Sayapin, Associate Professor and Associate Dean, School of Law, KIMEP University, Kazakhstan
  27. David J. Scheffer, Former U.S. Ambassador at Large for War Crimes Issues; Clinical Professor Emeritus and Director Emeritus, Center for International Human Rights, Northwestern University Pritzker School of Law
  28. Michael Schmitt, Professor of International Law at the University of Reading and G. Norman Lieber Distinguished Scholar at the United States Military Academy (West Point)
  29. Bruno Simma, former Judge at the International Court of Justice; Judge, Iran-United States Claims Tribunal
  30. David Sloss, John A. and Elizabeth H. Sutro Professor of Law, Santa Clara University School of Law
  31. Lucía Solano, Legal Adviser to the Permanent Mission of Colombia to the United Nations in New York
  32. Alfred H.A. Soons, Professor emeritus of public international law, Utrecht University School of Law, The Netherlands
  33. Arun Mohan Sukumar, PhD Candidate and pre-doctoral research fellow, Centre for International Law and Governance, The Fletcher School, Tufts University
  34. Professor Surya P. Subedi, QC, OBE, DC, Professor of International Law, University of Leeds, and Barrister, Three Stone Chambers, Lincoln’s Inn, London
  35. Patrick C. R. Terry, Dean and Professor of Law, University of Public Administration Kehl
  36. Kimberley Trapp, Professor of Public International Law, University College London
  37. Nicholas Tsagourias, Professor of International Law, University of Sheffield
  38. Tsvetelina van Benthem, Research Officer, ELAC
  39. Larissa van den Herik, professor of public international law, Grotius Centre for International Legal Studies, Leiden University
  40. Willem van Genugten, Professor em. of International Law, Tilburg University, The Netherlands
  41. Liis Vihul, Founder and CEO, Cyber Law International
  42. Michael Waibel, Professor of International Law, University of Vienna, Austria
  43. Christopher Waters, Professor, Faculty of Law, University of Windsor
  44. Steven Wheatley, Professor of International Law, University of Lancaster
  45. Jan Wouters, Full Professor of International Law and International Organizations, Jean Monnet Chair ad personam, Director Leuven Centre for Global Governance Studies – Institute for International Law, KU Leuven
  46. Pål Wrange, Professor of Public International Law, Stockholm University, and Director of the Stockholm Centre for International Law and Justice (SCILJ)