The first draft of this blog post began, (last month) with the assertion that one should never pay the ransom in a ransomware attack. This inevitably led to the question "Are any or all ransomware attacks acts of terrorism?" This question turned out to be a much more nuanced and complicated one than the first draft of this blog post anticipated.
There are many definitions of terrorism. The one that I found most consistent with my own line of thinking is by Dr. Bernhard Blumenau, who defines terrorism in FN1 of an article in the May issue of Studies in Conflict and Terrorism as "The politically motivated use or threat of violence that is directed not just against the immediate targets but is meant to communicate with an audience beyond the primary victims of these acts. It is a tactic used to gain or solidify power."
Another definition in line with my own manner of thinking is often attributed to the CIA, which in relevant part represents that terrorism is "designed to change the existing political order." Paul R. Pillar, in the first chapter of Terrorism and Foreign Policy, while considering the form and function of a definition of terrorism observes "terrorists attack people who cannot defend themselves in return" (page 14) and later states that counterterrorism: "is an effort to civilize the manner in which any political contest is waged" (page 18). His discussion makes clear that violence or the threat of violence is part of his accepted definition.
The UN maintains that terrorism includes "Criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organization to do or to abstain from doing an act."
These definitions are illuminating but not determinative in answering the question "Are any or all ransomware attacks acts of terrorism?"
To further our inquiry let's consider what characteristics these several definitions share:
Clearly global actors who concern themselves with addressing terrorism mitigation agree that terrorism includes 1. an aspect of violence, or the threat of violence, 2. engineered to reach an audience beyond its primary targets, 3. for political reasons, and 4. said targets are civilians (who cannot defend themselves in return).
The next part of our inquiry is much easier :)
We must consider the definition of a ransomware attack:
"Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them."
"Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry Worm," traveled automatically between computers without user interaction."
Let's turn to how the above definition of a ransomware attack, as applied to the four characteristics of terrorism that the various terrorism definitions share, informs our question.
The first part of the definition of a ransomware attack concerns an aspect of violence, or the threat of violence. This seems to be the most provocative part of our inquiry. Perhaps the threat of violence could be more easily interpreted by many ransomware scenarios. As someone who has been present at various meetings and panel discussions where attorneys with all different kinds of experience in cyber considered whether and when a cyber attack becomes a kinetic attack, perhaps the best thing that can be said about this question is that it may be a fact based inquiry.
Our second factor was whether the act was engineered to reach an audience beyond its primary target. The threat of disseminating information to a wider audience (or blocking access to it), is an act that, at the very least, suggests the malfeasor is considering how the act will be perceived by third parties, and perhaps even relying on these third parties, as a force multiplier of sorts, to make the threat hold more power over the victim. This observation is much more valid when the threat is to disseminate the data, rather than to hold it hostage, because, theoretically, the victim could keep it a secret that their data is being held hostage, but even that would be a decision based upon the consideration of parties beyond the malfeasor and the victim.
Okay, third question: Whether or not a particular ransomware attack is carried out for political reasons is probably also a fact based inquiry. For the purposes of this blog post let's observe that it is most certainly possible to carry out a ransomware attack for political purposes.
Now to the last question in the analysis--whether the target of the attack is a civilian. Okay, this at first seems like another simple, fact specific inquiry. But what about the part where we considered civilians *or* "parties who cannot defend themselves in return"? Hmm. It kind of goes without saying that if a bad actor is able to encrypt all of your data for ransom, from a distance, somewhere along the line there was an inability to defend oneself in return.
Now let's get back to the main question:
If one believes that threatening to publish the victim's data or perpetually lock access to it
is violence or the threat of violence,
then at the very least, some ransomware attacks are acts of terrorism
if
the ransomware attack was engineered to reach an audience beyond its primary targets,
and
the ransomware attack was carried out for political reasons
and
the victims of the ransomware attacks were civilians, or otherwise parties who cannot defend themselves in return.
Whether a ransomware attack is an act of terrorism could be relevant for a number of reasons. Of course, our inquiry is valuable because it forces us to think critically about a particular type of cybersecurity related incident, and that has its own value. Additionally, answering this question could have legal consequences, for example your insurance policy might not cover acts of terrorism, or as another example, being a victim of an act of terrorism might allow a party to qualify for certain types of social services. Without wading too deeply into this ancillary issue, for the purposes of this blog post, we can observe that our inquiry may have legal relevance in contemplated, and perhaps uncontemplated domains.
While a coherent theory of cyber security continues to emerge and coalesce, now is a good time to remind the reader that the first draft of this blog post began, (last month :)) with the assertion that one should never pay the ransom in a ransomware attack.
Let's agree that reasonable minds may differ on the issue of whether to pay the ransom or not. My position is based on my legal training and experience, as well as education in counterterrorism, and can be summed up by opining that an unseen party who would intrude onto your computer or network, and threaten you is not going to do the right thing because you send them some coin. But of course you should make the decision that best suits your particular set of circumstances.
An organization with potential exposure to a ransomware attack (and/or other cyber related incidents) may want to address this risk by having a team designated in advance, ideally comprised to address 5 functions: a party whose function is that of a chief information officer, a party who makes business or management-related decisions for the organization, an in-house counsel who should be notified of such an incident immediately, an outside counsel and an outside data-related party, the nature and scale of which may depend on the incident.
By prioritizing the value of an organization's data and backing it up regularly, in a manner that reflects respect for the necessity of said data in the continuing operation of the organization, organizations and individuals can act decisively to neutralize the threat of a ransomware attack, whether it is an act of terrorism or not.
Have a great June all. It's a pretty good month.
There are many definitions of terrorism. The one that I found most consistent with my own line of thinking is by Dr. Bernhard Blumenau, who defines terrorism in FN1 of an article in the May issue of Studies in Conflict and Terrorism as "The politically motivated use or threat of violence that is directed not just against the immediate targets but is meant to communicate with an audience beyond the primary victims of these acts. It is a tactic used to gain or solidify power."
Another definition in line with my own manner of thinking is often attributed to the CIA, which in relevant part represents that terrorism is "designed to change the existing political order." Paul R. Pillar, in the first chapter of Terrorism and Foreign Policy, while considering the form and function of a definition of terrorism observes "terrorists attack people who cannot defend themselves in return" (page 14) and later states that counterterrorism: "is an effort to civilize the manner in which any political contest is waged" (page 18). His discussion makes clear that violence or the threat of violence is part of his accepted definition.
The UN maintains that terrorism includes "Criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organization to do or to abstain from doing an act."
These definitions are illuminating but not determinative in answering the question "Are any or all ransomware attacks acts of terrorism?"
To further our inquiry let's consider what characteristics these several definitions share:
Clearly global actors who concern themselves with addressing terrorism mitigation agree that terrorism includes 1. an aspect of violence, or the threat of violence, 2. engineered to reach an audience beyond its primary targets, 3. for political reasons, and 4. said targets are civilians (who cannot defend themselves in return).
The next part of our inquiry is much easier :)
We must consider the definition of a ransomware attack:
"Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them."
"Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry Worm," traveled automatically between computers without user interaction."
Let's turn to how the above definition of a ransomware attack, as applied to the four characteristics of terrorism that the various terrorism definitions share, informs our question.
The first part of the definition of a ransomware attack concerns an aspect of violence, or the threat of violence. This seems to be the most provocative part of our inquiry. Perhaps the threat of violence could be more easily interpreted by many ransomware scenarios. As someone who has been present at various meetings and panel discussions where attorneys with all different kinds of experience in cyber considered whether and when a cyber attack becomes a kinetic attack, perhaps the best thing that can be said about this question is that it may be a fact based inquiry.
Our second factor was whether the act was engineered to reach an audience beyond its primary target. The threat of disseminating information to a wider audience (or blocking access to it), is an act that, at the very least, suggests the malfeasor is considering how the act will be perceived by third parties, and perhaps even relying on these third parties, as a force multiplier of sorts, to make the threat hold more power over the victim. This observation is much more valid when the threat is to disseminate the data, rather than to hold it hostage, because, theoretically, the victim could keep it a secret that their data is being held hostage, but even that would be a decision based upon the consideration of parties beyond the malfeasor and the victim.
Okay, third question: Whether or not a particular ransomware attack is carried out for political reasons is probably also a fact based inquiry. For the purposes of this blog post let's observe that it is most certainly possible to carry out a ransomware attack for political purposes.
Now to the last question in the analysis--whether the target of the attack is a civilian. Okay, this at first seems like another simple, fact specific inquiry. But what about the part where we considered civilians *or* "parties who cannot defend themselves in return"? Hmm. It kind of goes without saying that if a bad actor is able to encrypt all of your data for ransom, from a distance, somewhere along the line there was an inability to defend oneself in return.
Now let's get back to the main question:
"Are any or all ransomware attacks acts of terrorism?"
If one believes that threatening to publish the victim's data or perpetually lock access to it
is violence or the threat of violence,
then at the very least, some ransomware attacks are acts of terrorism
if
the ransomware attack was engineered to reach an audience beyond its primary targets,
and
the ransomware attack was carried out for political reasons
and
the victims of the ransomware attacks were civilians, or otherwise parties who cannot defend themselves in return.
Whether a ransomware attack is an act of terrorism could be relevant for a number of reasons. Of course, our inquiry is valuable because it forces us to think critically about a particular type of cybersecurity related incident, and that has its own value. Additionally, answering this question could have legal consequences, for example your insurance policy might not cover acts of terrorism, or as another example, being a victim of an act of terrorism might allow a party to qualify for certain types of social services. Without wading too deeply into this ancillary issue, for the purposes of this blog post, we can observe that our inquiry may have legal relevance in contemplated, and perhaps uncontemplated domains.
While a coherent theory of cyber security continues to emerge and coalesce, now is a good time to remind the reader that the first draft of this blog post began, (last month :)) with the assertion that one should never pay the ransom in a ransomware attack.
Let's agree that reasonable minds may differ on the issue of whether to pay the ransom or not. My position is based on my legal training and experience, as well as education in counterterrorism, and can be summed up by opining that an unseen party who would intrude onto your computer or network, and threaten you is not going to do the right thing because you send them some coin. But of course you should make the decision that best suits your particular set of circumstances.
An organization with potential exposure to a ransomware attack (and/or other cyber related incidents) may want to address this risk by having a team designated in advance, ideally comprised to address 5 functions: a party whose function is that of a chief information officer, a party who makes business or management-related decisions for the organization, an in-house counsel who should be notified of such an incident immediately, an outside counsel and an outside data-related party, the nature and scale of which may depend on the incident.
By prioritizing the value of an organization's data and backing it up regularly, in a manner that reflects respect for the necessity of said data in the continuing operation of the organization, organizations and individuals can act decisively to neutralize the threat of a ransomware attack, whether it is an act of terrorism or not.
Have a great June all. It's a pretty good month.
No comments:
Post a Comment