In the past few months, nothing has reminded everyone of the etymology of the expression “computer virus” like ransomware. This form of malicious code is delivered through a vulnerability in the victim’s system, such as a phishing email or password spraying, infiltrating and potentially crippling it like a disease. Specifically, ransomware is used to encrypt user data and either delete or release that data unless a demand (commonly for money) is met. Ipso facto, ransomware causes by definition adverse consequences for its intended and unintended targets. Even when the ransom is paid or the attacker’s demand is eventually met, frequently a portion of the encrypted data will have been lost anyway and the victim may be forced to stay offline for a while, incurring significant costs to repair or change its systems. Where the victim serves others, for example, providing public goods like healthcare, education, or utilities, the adverse consequences can quickly, and foreseeably, spread beyond the ransomware’s initial targets. In other cases, the means by which ransomware is delivered — especially when delivered through or as part of a digital supply chain attack — can produce a range of cascade effects harming entities who were not the “real” target of the operation but nonetheless suffer its consequences.
Recent months saw a significant surge in ransomware operations. For instance, in May 2021, Colonial Pipeline, a United States oil pipeline system carrying gasoline and jet fuel, was forced to halt its operations to ensure system safety following a ransomware attack. As a result, there was panic buying and shortage of gasoline which led to the highest average gasoline prices in the US for seven years. The attack on the meat provider JBS has been connected to a rise in the price of beef and pork. In the United Kingdom, ransomware attacks have targeted the education sector with increasing frequency, leading to the loss of student coursework, school financial records and data relating to COVID-19 testing. The internal network of Brazil’s National Treasury was hit by ransomware in August 2021, and September saw a ransomware operation against South Africa’s Justice Department. It is no wonder that — using an expression that has sadly become all too common — we are witnessing a “ransomware epidemic.” The cost of this epidemic, both financially and otherwise, may be very high. According to recent reports, India saw a significant increase in the financial impact of ransomware operations: the approximate recovery cost from the impact of ransomware tripled in the last year, up from $1.1 million in 2020, to $3.38 in 2021.
The ever-growing number of attacks and increased professionalization of actors behind ransomware operations call for robust action by states to meaningfully protect cyber infrastructure under their jurisdiction and control. Countering ransomware is not just a matter of national security and good governance. It is an obligation under international law, one highlighted in the latest, and fifth, Oxford Statement on the Protections of International Law in cyberspace. Like previous iterations of the Oxford Process, the Fifth Statement aims to reflect existing principles and rules of international law in their application to cyber operations and to call upon all states and other international actors to abide by them. Previous Oxford Statements on international law protections in cyberspace have focused on the rules of international law when viewed from the perspective of objects or processes which deserve protection, e.g. the rules which apply to cyber operations that target the health sector, vaccine research, electoral processes. However, as with our Fourth Statement, which sets out rules relating to information operations and activities, the present Statement focuses on a specific type or method of cyber operation.
While it may appear obvious that states must not themselves engage in ransomware, calling into play a set of negative obligations under international law, this is just the starting point. Ransomware is a problem not only when state-directed or state-sponsored, but even when carried out by non-state actors and tolerated or acquiesced in by different states, including the one from which it originates. For this reason, all states have an obligation to give effect to the well-established rules of international law requiring them to adopt protective measures against the harm caused by ransomware operations which are carried out by others. Those impose obligations not only to take feasible measures to put an end to harm caused to the rights of other states but also to take measures to prevent the infringement of the human rights of persons within the state in question. Duties to protect against ransomware may be complied with in several ways, ranging from the investigation and punishment of those responsible for ransomware and the training of specialized cybersecurity personnel, to the adoption of technical measures to strengthen cyber infrastructure, international cooperation and information-sharing. We very much hope that the adoption of these and other measures against ransomware will constitute an effective remedy, if not a cure against the particularly pernicious form of cyber operation that ransomware embodies.
Our survey of existing international law — whose results are enshrined in the Statement reproduced below — reveals that there is no space for ransomware in a healthy, peaceful, and prosperous international community. All states are called upon to fully commit to this vision.
The Fifth Statement and its current signatories are reproduced below. As with other Statements, we seek the broadest possible support within the profession from across the globe. International lawyers who wish to append their name to the statement are invited to express their interest via email to oxfordcyberstatement at gmail(.)com.
The Oxford Process is convened under the auspices of the Oxford Institute for Ethics, Law and Armed Conflict whose work on international law in cyberspace is supported by funding from Microsoft and the Government of Japan.
THE OXFORD STATEMENT ON INTERNATIONAL LAW PROTECTIONS IN CYBERSPACE: THE REGULATION OF RANSOMWARE OPERATIONS
Reiterating the commitment expressed in the First, Second, Third and Fourth Oxford Statements to clarify rules of international law applicable in the use of information and communications technologies;
Noting that ransomware (i.e. malware designed to encrypt data and render it unavailable unless a demand is met) is a global threat, having been employed at an escalating pace by a growing number of malicious actors, including states and non-state groups for financial or political purposes, often connected to criminal and other unlawful activities such as terrorism, human and drug trafficking, money laundering, sanctions evasion, and the proliferation of weapons of mass destruction;
Stressing that the COVID-19 pandemic and our increased dependency on the Internet and other information and communications technologies have enhanced vulnerabilities to and opportunities for ransomware and other types of malware that facilitate its distribution, including the targeting of remote control or monitoring systems and the use of phishing emails, malicious websites or false notifications;
Considering that ransomware has, in the vast majority of cases where it has been employed, caused significant and widespread harm to public and private institutions, as well as individuals, such as financial loss, reputational damage, breach of confidentiality, and the significant disruption of critical infrastructure, including healthcare and education, while posing an imminent risk of destructive harm to industrial control systems such as electric grids, water distribution systems and nuclear power plants;
Bearing in mind that ransomware can take increasingly varied and sophisticated forms, including targeted and indiscriminate operations, and lead to the denial of access to and/or the unauthorized release of data if demands are not met;
We agree that:
- Conduct carried out through information and communications technologies, such as ransomware operations, is regulated by international law.
- States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations which violate the principles of sovereignty or non-intervention in a state’s internal or external affairs, or amount to a prohibited threat or use of force within the meaning of the Charter of the United Nations. In particular, states must refrain from ransomware operations which are aimed at or result in disruption to electoral systems, healthcare, electric grids, water distribution systems, and nuclear power plants.
- States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations that result in violations of the human rights of individuals within their jurisdiction, such as the right to life, health, private life, education, property, freedoms of thought and opinion, freedom of expression, including the freedom to seek, receive and impart information and ideas of all kinds.
- a) States must not allow their territory or infrastructure under their jurisdiction or control to be used by states or non-state actors for ransomware operations that are contrary to the rights of other states, when the former states know or should know of such operations.
- b) To discharge those duties, states from which ransomware operation emanates, in full or in part, must take feasible measures to stop such operations and otherwise address the situation. Such measures may include the conduct of investigations, the adoption of legal and technical measures, as well as cooperation with other states. Any measures taken in this regard must be compliant with applicable obligations under international law, including international human rights law.
- States must take measures to protect the human rights of individuals within their jurisdiction from harmful ransomware operations, including when such operations are carried out by other states and non-state actors. To discharge this obligation, states may, among other measures, prohibit ransomware by law, take feasible steps to stop ransomware operations, mitigate their effects, investigate and punish those responsible, as well as prevent and suppress ransom payments to the extent possible. Where such protective measures interfere with other human rights, they must conform with applicable legal requirements, such as legitimate purpose, legality, necessity, proportionality and non-discrimination.
- The use of ransomware during armed conflict is subject to the applicable rules of international humanitarian law (IHL). These rules include, but are not limited to, the duty to respect and ensure respect for IHL, which entails an obligation to prevent violations of IHL; the duties to respect and to protect specific actors or objects, including medical personnel and facilities and humanitarian personnel and consignments; the duties concerning objects indispensable to the survival of the civilian population as well as those concerning works and installations containing dangerous forces; and other rules on the protection of civilians, civilian objects, and of persons who no longer participate in hostilities, such as the sick, wounded, and prisoners of war.
- The use of ransomware will amount to international crimes, such as genocide, war crimes and crimes against humanity, where the elements of those crimes are fulfilled.
- The application of the aforementioned rules is without prejudice to any other applicable rules of international law that provide protections against ransomware and related activities.
- Dapo Akande, Professor of Public International Law, Co-Director, Oxford Institute for Ethics, Law & Armed Conflict (ELAC), University of Oxford
- Mariana Salazar Albornoz, Member, Inter-American Juridical Committee (OAS) and Professor of International Law, Universidad Iberoamericana, Mexico City
- Kai Ambos, Professor and Chair of Criminal Law, Procedure, Comparative Law, International Criminal Law and Public International Law, Georg August Universität Göttingen, Germany
- Joshua Andresen, Deputy Head of School and Reader in National Security and Foreign Relations Law, School of Law, University of Surrey
- Pouria Askary, Associate Professor of International Law, Allameh Tabataba’i University
- William Banks, Board of Advisers Distinguished Professor, Syracuse University College of Law
- Richard Barnes, Professor, The University of Lincoln
- Orna Ben-Naftali, Professor of Law and Emile Zola Chair for Human Rights, The Striks Law Faculty, The College of Management Academic Studies, Israel
- Nehal Bhuta, Chair of Public International Law, University of Edinburgh
- Ziv Bohrer, Senior Lecturer in International Law, Faculty of Law, Bar-Ilan University
- Michael Bothe, Professor emeritus of Public Law, J.W. Goethe University, Frankfurt/Main
- Tomer Broude, Professor, Bessie & Michael Greenblatt, Q.C., Chair in Public and International Law, Faculty of Law and Department of International Relations, Hebrew University of Jerusalem
- Chester Brown, Professor of International Law and International Arbitration, Sydney Law School, University of Sydney
- Russell Buchan, Senior Lecturer in Law, University of Sheffield
- Michael Byers, Professor & Canada Research Chair in Global Politics and International Law, University of British Columbia
- Nicolás Carrillo Santarelli, Associate Researcher, Institute of Human Rights at Business, UDEM University of Monterrey
- Alejandro Chehtman, Professor of Law, Universidad Torcuato Di Tella (Argentina)
- Roger S. Clark, Board of Governors Professor Emeritus, Rutgers Law School, Camden, New Jersey
- Antonio Coco, Lecturer in Public International Law, University of Essex and Visiting Fellow at ELAC, University of Oxford
- Emily Crawford, Professor, The University of Sydney Law School
- Rebecca Crootof, Assistant Professor of Law, University of Richmond School of Law
- Federica D’Alessandra, Executive Director of the Oxford Programme on International Peace and Security, Blavatnik School of Government, University of Oxford
- Tom Dannenbaum, Assistant Professor of International Law, The Fletcher School of Law & Diplomacy, Tufts
- Margaret M. deGuzman, James E. Beasley Professor of Law, Temple University Beasley School of Law
- François Delerue, Senior Researcher in Cybersecurity Governance, Leiden University
- Diane A. Desierto, Professor of Law and Global Affairs, Faculty Director of LLM Program in International Human Rights, Notre Dame Law School and Keough School of Global Affairs, University of Notre Dame (USA)
- Talita Dias, Shaw Foundation Junior Research Fellow, Jesus College; Research Fellow, ELAC, University of Oxford
- William S. Dodge, Martin Luther King, Jr. Professor of Law and John D. Ayer Chair in Business Law, University of California, Davis, School of Law
- Jessica Dorsey, Assistant Professor of International and European Law, Utrecht University School of Law
- Pavan Duggal, Chairman, International Commission on Cyber Security Law; Founder-cum-Honorary Chancellor, Cyberlaw University; Advocate, Supreme Court of India
- Jeffrey L. Dunoff, Laura H. Carnell Professor of Law, Temple University Beasley School of Law
- Max du Plessis, Senior Counsel and Barrister, South Africa, Adjunct Professor, University of Cape Town and Nelson Mandela University
- Kristen E. Eichensehr, Martha Lubin Karsh and Bruce A. Karsh Bicentennial Professor of Law, University of Virginia School of Law
- Martin Faix, Senior Lecturer in International Law, Palacký University Olomouc/Charles University in Prague
- Tom Farer, Dean Emeritus and University Professor, Josef Korbel School of International Studies, University of Denver
- David P. Fidler, Senior Fellow for Cybersecurity and Global Health, Council on Foreign Relations (USA)
- Malgosia Fitzmaurice, Professor of International Law, Queen Mary University of London
- Micaela Frulli, Professor, Law Department, DSG, Università di Firenze
- Geoff Gilbert, Professor of International Human Rights & Humanitarian Law, School of Law and Human Rights Centre, University of Essex
- Chiara Giorgetti, Professor of Law, Richmond Law School, Richmond (VA,USA)
- Richard J. Goldstone, Retired Justice of the Constitutional Court of South Africa, former Chief Prosecutor of the ICTY and ICTR
- Guy S. Goodwin-Gill, Professor, Faculty of Law & Justice, University of New South Wales (UNSW); Andrew & Renata Kaldor Centre for International Refugee Law, UNSW; Emeritus Fellow, All Souls College, Oxford
- Gregory S. Gordon, Professor of Law, The Chinese University of Hong Kong Faculty of Law
- James A. Green, Professor of Public International Law, Head of Research, Bristol Law School, OWE Bristol
- Douglas Guilfoyle, Associate Professor of International and Security Law, University of New South Wales Canberra
- Oleg Gushchyn, Professor, Military Law Department, Taras Shevchenko National University of Kyiv, Ukraine
- Yael Vias Gvirsman, Director of the International Criminal and Humanitarian Law Clinic, Harry Radzyner Law School, Reichman University, Attorney and Consultant specializing in International Law
- Steven Haines, Professor of Public International Law, University of Greenwich
- Monica Hakimi, James V. Campbell Professor of Law, University of Michigan Law School
- Adil Haque, Professor of Law and Judge Jon O. Newman Scholar, Rutgers Law School
- Mohamed S. Helal, Associate Professor of Law, The Ohio State University; Member, Permanent Court of Arbitration; Member, African Union Commission on International Law
- Kevin Jon Heller, Professor of International Law and Security, University of Copenhagen (Centre for Military Studies); Professor of Law, Australian National University
- Christian Henderson, Professor of International Law, University of Sussex
- Stacey Henderson, Lecturer, Adelaide Law School, The University of Adelaide
- Duncan B. Hollis, Laura H. Carnell Professor of Law, Temple University School of Law
- María José Cervell Hortal, Professor of Public International Law and International Relations, University of Murcia, Spain
- Deborah Housen-Couriel, The Federmann Cyber Security Research Center at the Hebrew University of Jerusalem; Chief Legal Officer and VP Regulation at Konfidas Digital Ltd
- Karen Hulme, Professor of Law, University of Essex, United Kingdom
- Eric Talbot Jensen, Robert W. Barker Professor of Law, Brigham Young University
- Derek Jinks, A.W. Walker Centennial Chair in Law, University of Texas School of Law
- Kate Jones, Associate Fellow, Chatham House
- Ido Kilovaty, Associate Professor of Law, University of Tulsa College of Law
- Pierre Klein, Professor, Université libre de Bruxelles
- Robert Kolb, Professor of Public international law, University of Geneva
- Leonhard Kreuzer, Research Fellow, Max Planck Institute for Comparative Public Law and International Law, Heidelberg, Germany
- Joanna Kulesza, tenured Professor of International Law and Internet Governance, University of Lodz, Poland
- Masahiro Kurosaki, Associate Professor of International Law and Director of the Study of Law, Security and Military Operations, National Defense Academy of Japan
- Henning Lahmann, Hauser Global Postdoctoral Fellow, NYU School of Law
- Eliav Lieblich, Professor of Law, Buchmann Faculty of Law, Tel Aviv University
- Noam Lubell, Professor of International Law, Director of the Essex Armed Conflict and Crisis Hub, School of Law & Human Rights Centre, University of Essex
- Asaf Lubin, Associate Professor of Law, Indiana University Maurer School of Law; Faculty Associate, Berkman Klein Center for Internet and Society, Harvard Law School; Affiliated Fellow, Information Society Project, Yale Law School
- Kubo Mačák, Legal Adviser, Legal Division, International Committee of the Red Cross
- Fabrizio Marrella, Full Professor of International Law and Vice Rector for International Relations and International Cooperation, “Ca’ Foscari” University of Venice, Italy; Professeur invité, Sorbonne Law School
- Errol P. Mendes, Full professor of constitutional and international law, University of Ottawa, Canada; President, International Commission of Jurists, Canadian Section
- Tomohiro Mikanagi, Ministry of Foreign Affairs, Japan
- Marko Milanovic, Professor of Public International Law, University of Nottingham School of Law
- Lindsay Moir, Professor of International Law, University of Hull Law School
- Evgeni Moyakine, Assistant Professor, Section IT Law / STeP Research Group, Faculty of Law, University of Groningen
- Harriet Moynihan, Acting Director, International Law Programme, Chatham House (Royal Institute of International Affairs)
- Roda Mushkat, Professor of International Law, Johns Hopkins University, Paul H. Nitze School of Advanced International Studies (SAIS)
- James C. O’Brien, Vice-Chair, Albright Stonebridge Group
- Mary Ellen O’Connell, Robert and Marion Short Professor of Law and Research Professor of International Dispute Resolution, Kroc Institute for International Peace Studies, University of Notre Dame
- Stefan Oeter, Professor of public International Law and Director of the Institute of International Affairs, Faculty of Law, University of Hamburg
- Obiora C. Okafor, Edward B. Burling Chair in International Law and Institutions, School of Advanced International Studies, Johns Hopkins University, Washington DC, USA
- Roger O’Keefe, Professor of International Law, Bocconi University
- Inger Österdahl, Professor in Public International Law, Faculty of Law, Uppsala University
- Bruce Oswald, Professorial Fellow, Melbourne Law School, University of Melbourne
- Jordan J. Paust, Professor Emeritus, University of Houston Law Center
- Sejal Parmar, Lecturer, School of Law, University of Sheffield
- Anni Pues, Lecturer in International Law, Glasgow Centre for International Law and Security, University of Glasgow
- José Antonio Moreno Rodríguez, Arbitrator, Permanent Court of Arbitration; Member, Inter-American Juridical Committee of the Organization of American States
- Przemysław Roguski, Lecturer in Law, Jagiellonian University in Kraków, Poland
- Barrie Sander, Assistant Professor, Leiden University – Faculty of Governance and Global Affairs
- Andrew Sanger, University Lecturer in International Law, University of Cambridge
- Marco Sassòli, professor of international law, University of Geneva, Switzerland
- Ben Saul, Challis Chair of International Law, The University of Sydney
- Sergey Sayapin, Associate Professor and Associate Dean, School of Law, KIMEP University, Kazakhstan
- David J. Scheffer, Former U.S. Ambassador at Large for War Crimes Issues; Clinical Professor Emeritus and Director Emeritus, Center for International Human Rights, Northwestern University Pritzker School of Law
- Michael Schmitt, Professor of International Law at the University of Reading and G. Norman Lieber Distinguished Scholar at the United States Military Academy (West Point)
- Bruno Simma, former Judge at the International Court of Justice; Judge, Iran-United States Claims Tribunal
- David Sloss, John A. and Elizabeth H. Sutro Professor of Law, Santa Clara University School of Law
- Lucía Solano, Legal Adviser to the Permanent Mission of Colombia to the United Nations in New York
- Alfred H.A. Soons, Professor emeritus of public international law, Utrecht University School of Law, The Netherlands
- Arun Mohan Sukumar, PhD Candidate and pre-doctoral research fellow, Centre for International Law and Governance, The Fletcher School, Tufts University
- Professor Surya P. Subedi, QC, OBE, DC, Professor of International Law, University of Leeds, and Barrister, Three Stone Chambers, Lincoln’s Inn, London
- Patrick C. R. Terry, Dean and Professor of Law, University of Public Administration Kehl
- Kimberley Trapp, Professor of Public International Law, University College London
- Nicholas Tsagourias, Professor of International Law, University of Sheffield
- Tsvetelina van Benthem, Research Officer, ELAC
- Larissa van den Herik, professor of public international law, Grotius Centre for International Legal Studies, Leiden University
- Willem van Genugten, Professor em. of International Law, Tilburg University, The Netherlands
- Liis Vihul, Founder and CEO, Cyber Law International
- Michael Waibel, Professor of International Law, University of Vienna, Austria
- Christopher Waters, Professor, Faculty of Law, University of Windsor
- Steven Wheatley, Professor of International Law, University of Lancaster
- Jan Wouters, Full Professor of International Law and International Organizations, Jean Monnet Chair ad personam, Director Leuven Centre for Global Governance Studies – Institute for International Law, KU Leuven
- Pål Wrange, Professor of Public International Law, Stockholm University, and Director of the Stockholm Centre for International Law and Justice (SCILJ)