Never Pay the Ran$om

The first draft of this blog post began, (last month) with the assertion that one should never pay the ransom in a ransomware attack. This inevitably led to the question  "Are any or all ransomware attacks acts of terrorism?" This question turned out to be a much more nuanced and complicated one than the first draft of this blog post anticipated.

There are many definitions of terrorism. The one that I found most consistent with my own line of thinking is by Dr. Bernhard Blumenau, who defines terrorism in FN1 of an article in the May issue of Studies in Conflict and Terrorism as "The politically motivated use or threat of violence that is directed not just against the immediate targets but is meant to communicate with an audience beyond the primary victims of these acts. It is a tactic used to gain or solidify power."

Another definition in line with my own manner of thinking is often attributed to the CIA, which in relevant part represents that terrorism is "designed to change the existing political order." Paul R. Pillar, in the first chapter of Terrorism and Foreign Policy, while considering the form and function of a definition of terrorism observes "terrorists attack people who cannot defend themselves in return" (page 14) and later states that counterterrorism: "is an effort to civilize the manner in which any political contest is waged" (page 18). His discussion makes clear that violence or the threat of violence is part of his accepted definition.

The UN maintains that terrorism includes "Criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organization to do or to abstain from doing an act."

These definitions are illuminating but not determinative in answering the question "Are any or all ransomware attacks acts of terrorism?"

To further our inquiry let's consider what characteristics these several definitions share:

Clearly global actors who concern themselves with addressing terrorism mitigation agree that terrorism includes 1. an aspect of violence, or the threat of violence, 2. engineered to reach an audience beyond its primary targets, 3. for political reasons, and 4. said targets are civilians (who cannot defend themselves in return).

The next part of our inquiry is much easier :)

We must consider the definition of a ransomware attack:

"Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them."

"Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry Worm," traveled automatically between computers without user interaction."

Let's turn to how the above definition of a ransomware attack, as applied to the four characteristics of terrorism that the various terrorism definitions share, informs our question.

The first part of the definition of a ransomware attack concerns an aspect of violence, or the threat of violence. This seems to be the most provocative part of our inquiry. Perhaps the threat of violence could be more easily interpreted by many ransomware scenarios. As someone who has been present at various meetings and panel discussions where attorneys with all different kinds of experience in cyber considered whether and when a cyber attack becomes a kinetic attack, perhaps the best thing that can be said about this question is that it may be a fact based inquiry.

Our second factor was whether the act was engineered to reach an audience beyond its primary target. The threat of disseminating information to a wider audience (or blocking access to it), is an act that, at the very least, suggests the malfeasor is considering how the act will be perceived by third parties, and perhaps even relying on these third parties, as a force multiplier of sorts, to make the threat hold more power over the victim. This observation is much more valid when the threat is to disseminate the data, rather than to hold it hostage, because, theoretically, the victim could keep it a secret that their data is being held hostage, but even that would be a decision based upon the consideration of parties beyond the malfeasor and the victim.

Okay, third question: Whether or not a particular ransomware attack is carried out for political reasons is probably also a fact based inquiry. For the purposes of this blog post let's observe that it is most certainly possible to carry out a ransomware attack for political purposes.

Now to the last question in the analysis--whether the target of the attack is a civilian. Okay, this at first seems like another simple, fact specific inquiry. But what about the part where we considered civilians *or* "parties who cannot defend themselves in return"? Hmm. It kind of goes without saying that if a bad actor is able to encrypt all of your data for ransom, from a distance, somewhere along the line there was an inability to defend oneself in return.

Now let's get back to the main question:

"Are any or all ransomware attacks acts of terrorism?"

If one believes that threatening to publish the victim's data or perpetually lock access to it
is violence or the threat of violence,  
then at the very least, some ransomware attacks are acts of terrorism
the ransomware attack was engineered to reach an audience beyond its primary targets,
the ransomware attack was carried out for political reasons
the victims of the ransomware attacks were civilians, or otherwise parties who cannot defend themselves in return. 

Whether a ransomware attack is an act of terrorism could be relevant for a number of reasons. Of course, our inquiry is valuable because it forces us to think critically about a particular type of cybersecurity related incident, and that has its own value. Additionally, answering this question could have legal consequences, for example your insurance policy might not cover acts of terrorism, or as another example, being a victim of an act of terrorism might allow a party to qualify for certain types of social services. Without wading too deeply into this ancillary issue, for the purposes of this blog post, we can observe that our inquiry may have legal relevance in contemplated, and perhaps uncontemplated domains.

While a coherent theory of cyber security continues to emerge and coalesce, now is a good time to remind the reader that the first draft of this blog post began, (last month :)) with the assertion that one should never pay the ransom in a ransomware attack.

Let's agree that reasonable minds may differ on the issue of whether to pay the ransom or not. My position is based on my legal training and experience, as well as education in counterterrorism, and can be summed up by opining that an unseen party who would intrude onto your computer or network, and threaten you is not going to do the right thing because you send them some coin. But of course you should make the decision that best suits your particular set of circumstances.

An organization with potential exposure to a ransomware attack (and/or other cyber related incidents) may want to address this risk by having a team designated in advance, ideally comprised to address 5 functions: a party whose function is that of a chief information officer, a party who makes business or management-related decisions for the organization, an in-house counsel who should be notified of such an incident immediately, an outside counsel and an outside data-related party, the nature and scale of which may depend on the incident.

By prioritizing the value of an organization's data and backing it up regularly, in a manner that reflects respect for the necessity of said data in the continuing operation of the organization, organizations and individuals can act decisively to neutralize the threat of a ransomware attack, whether it is an act of terrorism or not.

Have a great June all. It's a pretty good month.


Googacle Continues

We are just getting word that the U.S. Court of Appeals for the Federal Circuit has sided with Oracle in the latest round of this litigation. Please see here for a slideshare on Open Source Adoption Rates, with attention to slide
12, reproduced below:

Also, please see here for a table of cases cited in this most recent round of the litigation. Please note the intersection of cases cited by both sides, and also, the small number of Supreme Court cases that were cited overall. 


Fitness For a Particular Purpose

While serving a non-profit pro bono I spent some time researching antitrust issues in the standard setting process. Approaching anti-competition risk management from this perspective is quite different than approaching antitrust regulations from the perspective of defense counsel in the corporate space, and I am grateful for the opportunity to have considered this area of law from these divergent vantage points.

One may tend to orient oneself to a number of different facts and circumstances from within the context of the Clayton Act when approaching antitrust as a defense counsel in the corporate space; one is often dealing with more antitrust counsel and with opposing counsel, perhaps at the DOJ or the European Commission, or Ministry of Commerce, and these are parties who are necessarily well versed in antitrust law- they might even be the parties who wrote the laws or who spent five or seven or thirteen years on a particular matter, absorbing all of the relevant legal details as they followed a particular controversy from the complaint stage to the appellate stage.

In the non-profit space one might find oneself evaluating or making recommendations on specific scenarios or policies with attorneys and advisors who have high technical proficiency in their practice area, but not necessarily a background in business law.

Thus I would like to share a link to the helpful guide: ISO's "Competition Law Guidelines for Participants in the ISO Standards Development Process", which includes helpful tips such as:
"Do ensure that you and other participants that attend meetings have the necessary technical expertise."
"Do feel free to use and share information from the public domain, including historical and aggregated industry information (which doesn’t allow an individual business’s pricing or commercial strategy to be identified), but do be careful that it doesn’t lead to discussions on future strategy."
"Don’t fix any prices or price-related conditions with competitors."

Since it is Women's History Month, I am also going to share this chart from the US Department of Labor that conveys some statistics on women in the workplace. According to the chart, female chief executives comprise 28% of all chief executives in the labor force. Preschool and kindergarten teachers are 97.7% female. Lawyers are 37.4% female. Judges, magistrates, and other judicial workers are 28.1% female. Electricians are 2.5% female. Physicians and surgeons are 40% female.

From the chart, I was not able to deduce how many women are represented in standard setting organizations. It's an important question to consider; most of the above cited examples require a license, and are thus regulated by some set of standards somewhere.

It seems logical that the older a standard is, the more likely it is that it was devised exclusively by men. This would be true if gender balance statistics in standard making bodies are consistent with historic gender imbalances in the broader workplace. While some would want to spend time considering whether this is good, or unfortunately bad, I would merely posit that this is so.  Further, I would seize the opportunity to make a brief reference to Rawls' "Veil of Ignorance", while contemplating this assertion.

So, some questions to ask this Women's History Month when thinking about standards:
Who developed the standard? When was the last time the standard was evaluated? Have female experts ever commented on how they approached the standard? Is it the best available standard for evaluating fitness for a particular purpose? How would we begin to undertake a task such as reconsidering all of our existing standards, in all contexts, in a big data world?

Happy March, all.



This weekend I caught up with some guests from out of town and was somewhat chagrined to have to contemplate telling them that they might not be able to visit some of the country’s best sights due to the government shutdown of 2018. The botched plans of tourists were only one facet of ruminating upon what, exactly, would take place during such an event.

Amidst the anxiety generated by such governmental and political dysfunction, please be reminded that some professionals show leadership by conveying clear instructions in the event of such a contingency. Here’s a link to the SEC’s Operations Plan in the event of a government shutdown, which is posted on the agency’s website, and thus accessible to the general public: https://www.sec.gov/files/sec-operations-plan-gov%20shutdown-to-omb-12042017.pdf.  There is a similarly accessible plan posted on the DOJ website: https://www.justice.gov/jmd/page/file/1015676/download. The Department of Commerce’s contingency plan is 137 pages long: https://www.commerce.gov/sites/commerce.gov/files/plan_for_orderly_shutdown_due_to_lapse_of_congressional_appropriations_-_20171207.pdf in contrast to the previous two, which were less than twenty pages in length.  A link to the VA’s contingency plan may be found on this page: https://www.blogs.va.gov/VAntage/43654/va-contingency-plan-2017/. It seems to be formatted in MS, unlike the others just cited, which were PDFs.

Why isn’t there one of these contingency plans on the homepage of all of our government agencies, or at least for each Cabinet office? Now is probably a good time to observe that respect is earned, most often during moments when some are grandstanding while others quietly make sure people are supplied with a plan of action, and a government.  


Insidious Hacks

Have you ever been trying to share something online and find that when you look at the final published product, you misspelled something- even though you know how to spell it and your drafts reflect a correct spelling?

You might have been hacked. There are a number of hacks that can intercept your message and, for example, just remove one letter or change one letter from your draft.
Here's a link to a blog post that addresses a spam link injection- which operates on the same theory:

One of the reasons this is such an insidious hack, is that it lowers other parties' perception of your credibility. People tend to do business with people they like, who they perceive to be competent in their professional area. A spelling error on a crowdfunding page lowers the chance of success of that project by 13%, according to at least one academic source.

Further, this hack is insidious in that it could cause you to question your own memory- which could potentially be interpreted as intentional infliction of emotional distress.

Since crowdfunding is a regulated activity in many jurisdictions, it goes to follow that performing a hack of this type on a webpage associated with a crowdfunding campaign could be part of a much larger fraud, aimed at reducing the economic opportunities of a party or entity.

Another reason this type of hack is insidious is because it is subtle. If fifty-thousand dollars goes missing from a checking account, most persons would likely act. However if a colleague's list serve post reflects a spelling error- her less cyber savvy colleagues may slowly begin to doubt her judgement, but it is not likely that many would be thinking about reporting anyone to the authorities.

Some additional places to watch out for this type of malfeasance would be on blogs and social media posts, so take a screenshot of your draft and preserve your sanity.

Cheers to 2018, loves. 


Cyber and Risk Disclosure on The Last Day Of The Year

Season's greetings, dear readers. On the last day of 2017, please enjoy some thoughts on cyber and risk.

As cyber, risk and information security is such a varied and diverse landscape of experience, it is so important to listen, so as to encourage a candid exchange of ideas.

That being said, one observation, that I have observed at least twice, I feel is not evidenced by existing data: "Cyber risk disclosures always take place in hindsight".

First, let's see if we can agree that risk as a general concept is exposure to vulnerability, harm or loss.  There is a moment, then, when exposure to a vulnerability goes from being a possibility to an actuality. Thus, when disclosing an event that has become an actuality ("yes, we have been exposed to this risk"), indeed, hindsight is involved. When disclosing an event of which there is a possibility of exposure to a risk, is that hindsight? Does it depend on how possible?  This could be a relevant distinction with regard to the issue of  how to approach materiality, i.e. the several hundred million dollar question: Was the risk material?

Second, let's talk about forseeability, a favorite concept of tort professors (and tortfeasors) everywhere. Let's use a simple definition: "the idea that a reasonable person could reasonably anticipate the result or the results, as predictable."

Alas, now that foreseeability has entered our last-day-of-the-year conversation, it's time to mention something else heard a few times: "We as attorneys went to school to practice law, and not to become experts on cybersecurity." My response to this is that yes, that is true; most of us intended to study law, and were not necessarily focused on any other particular area outside of law, BUT, the market will address this position, and by that I mean, of course, the clients will look for and find attorneys with a more expansive view. 

So now let's put risk and foreseeability together: 
Surfing the internet involves risk, when software runs, there is a risk it will be/has been exploited. Thus, every moment online involves risk. Every IOT device involves risk. Flash involves a GREAT DEAL of risk. When engaged in or using the previously mentioned activities or products, it's foreseeable that some types of harm will occur, and there is an entire ecosystem of services and products in existence to address some of these risks.

There are some attorneys who have indicated that the risk involved in the packaging on your clients' product being punctured is commensurate with cyber risk, which one can take to mean some attorneys believe cyber risk only involves the risk of the client's end product or service being contaminated. But cyber is more than a supply chain issue.  It is a pervasive and persistent hazard that will not be adequately addressed if it is conceived as a supply chain issue only.

Now is a good time to go back to the statement: "Cyber risk disclosures always take place in hindsight". If you think about how what we are discussing here is more than a supply chain risk, that it is an issue that involves a pervasive and persistent hazard,  it may help some law practitioners to move beyond that statement, and we need to move beyond that idea or there will be more blackouts, more out-of-order hospitals,  and losses generally.

But it doesn't have to be that way... okay, back to listening. 

See you next year.



Closing Out The Year

Hello readers. I wanted to take a moment to address the issue of "Closing out the Year." I don't mean this in the business sense, I mean this in the personal sense.
In order to give some context about my frame of mind as I draft this, please allow me to share that I am lounging, in fuzzy pajamas, sipping coffee, and that is pretty much all I plan to do today. In DC today, Carpenter is on the docket; elsewhere in the world, trials are being delayed, slaves are being sold, provocateurs are provoking, and all of that is worthy of the attention it is receiving, and perhaps even more, but I will be content if I can publish this blog post today.

So what does that mean, to close out the year? You may recall from a previous blog post the notion of "taking some time to contemplate, aiming for an improved perspective, while observing the cycle of life." I try to do this at least once a year. The last twelve months have forced my hand a bit on the issue of personal reckonings, so it is even more important to take this time to scan the horizon and look at the big picture. Be wary of tunnel vision.

One helpful item with respect to closing out the year is to reiterate one's tautologies, if one has any. You can go ahead and make a list of these if you think it will help.

Two: Consider what has changed, and how it affects your plans for the coming year. It's good to set some time to specifically consider which of your life's conditions has changed in the last 365 or so days, almost as if it was an administrative task.

Three: Consider the people in your life. There are some things we can control, and there are some over which we have no control. Many wise people have observed that an important process in life is to learn to tell the difference between the two. I would add that once this is done, take a look at the parties with whom you find yourself surrounded and consider whether they continue to merit a place in your life. Who can you help? Who must you learn to forget?

Four: Consider your surroundings. Do you like where you find yourself? I seriously love New York, as you may already know, however, relocating can be a great thing, for example, for one's career. Spending the months that are typically cold in New York City, in a milder place such as Las Vegas, or France or something along those lines is what seems to have worked best for me. It can be a lot of work to maintain a residence you don't see that often, so remember that the goal is comfort, not exhaustion. Whatever your preference, as you consider 1-3 above, (especially three) consider such within the context of four. If you have had to make hard decisions in life I'm sure you already know that you can think someone is groovy, but if they do not share your ideas about surroundings, it is best to not over-invest in that relationship, because you are not going in the same direction.

Five: Execution. What will you do in the next 365 days to make this vision of your life and who you are, into a reality? What can you refrain from doing?

My best wishes to you as you close out the year,


Let Us Give Thanks 🦃

It's been a while since one of these blog posts addressed a favorite American pastime, cooking. As a way of saying "Thank You" to everyone who shares their cooking tips online, and as a way of getting ready for Thanksgiving, please read on for information on a technique that has the potential to make chicken or meatballs fluffier.

Half dollar sized chicken meatballs can work well as an appetizer. Lamb meatballs as well as pork and red meat meatballs also can work well in this size. Yum. Paired with a dipping sauce that is complementary to the entree, sharing these tiny savory treats is a great way to get guests relaxed and mingling around the dining room.

To prepare, assemble the meatball ingredients, including breadcrumbs, to your liking. The more breadcrumbs, the less dense the meatballs will be when they are cooked, and less dense is good for an appetizer. (Notwithstanding edamame, which makes a great appetizer; there are probably lots of other great dense appetizers...)  Now take some olive oil and warm it in a sauce pan. Once the oil is warm, add the warmed oil to the reserved breadcrumbs. The bread crumbs will immediately absorb the warm oil. Then add the bread crumbs to the meat mixture, or if you are reading this aghast at the use of ground meat, please feel free to try this with ground chick peas and share your results. You can preheat the oven around the time you start apportioning the meat mixture.

Chicken Meatballs Appetizer:

Ground chicken meat, 1 lb.
salt, thyme and rosemary to taste
1/4 cup milk
2 eggs beaten
1/2 cup olive oil
3/4 cup bread crumbs

Mix all ingredients, except for the breadcrumbs and the olive oil, together. The breadcrumbs should be in a separate ceramic or other heat-safe bowl somewhere. Warm the olive oil over low to medium heat in a saucepan. When the viscosity of the oil begins to change, the oil is warm enough. Take it off the heat and pour the oil over the breadcrumbs; use a fork to combine well. Let breadcrumbs sit for about a minute and then add to the ground meat mixture; combine well. Use an ice cream scoop or other spoon to apportion the meat mixture and roll into spheres that are about the diameter of a half-dollar.
Place in an oven-safe tray that is large enough to fit all of the meatballs without them touching and bake for about seventeen minutes at 450 degrees.

The dipping sauce: Remember earlier in the blog post where it states this recipe is best used for appetizers? Well think about what your main entree is going to be. If it involves roasting or sautéeing anything, make a simple roux and add some of the pan drippings from the roast, or from the sautée to the roux to create a complimentary dipping sauce for the appetizer. If you're fresh out of ideas, or if you are attending a pot luck and have no idea what the main course will be, try one of these ideas for a dipping sauce. 

Thank you for reading and Happy Thanksgiving🦃