5 takeaways:
➀ Civilian targets are no longer off-limits. Expect more lawsuits. Ransomware groups are targeting hospitals, pipelines and libraries because they pay. “The more civilian the target you pick, the more lucrative,” said RAND researcher Jonathan Welburn, who has argued for retaliation for ransomware. “If you’re a hospital, you’ve got people on ventilators, you’ve just got to pay up, right?” Many companies don’t disclose their ransomware payments (although reporters should dig through Securities and Exchange Commission filings to check). Gas stations harmed by the Colonial Pipeline hack have filed a class-action lawsuit against the pipeline, alleging negligence; such suits by victims and shareholders may succeed if companies are not using best practices for cybersecurity, Welburn said. Some insurers just pay the ransoms, but others might not reimburse, or might start requiring that companies they insure not pay up, said Thomas Wingfield, a former U.S. assistant secretary of defense. Congress – or individual states – could also decide to outlaw the paying of cyber-ransom in Bitcoin or cash, he said.
➁ Journalists should ask three questions about every hack. Wingfield, who ran cyber operations at the Pentagon under President Donald Trump, said the first question to ask authorities is whether the hack is a crime. There are seven major federal laws against hacking. (The Justice Department recently charged Chinese hackers with violating various provisions of Title 18 U.S. Code 1081. Wingfield said other hacks might violate the Computer Fraud and Abuse Act (18 U.S. Code 1030). The FBI and U.S. Department of Justice will usually explain these laws to journalists. Second, journalists should ask whether the hack has an intelligence angle; take those questions to the Office of the Director of National Intelligence. Espionage is a crime, although intelligence officials may decide not to discuss it. Third question for authorities: Does this cyberattack qualify as an armed attack?
➂ An act of war is what decision-makers say it is, and they can respond as they wish. International lawyers do not use the term “act of war,” said Wingfield, who now researchers cyberconflict at the RAND Corporation. “That’s for policymakers.” Instead, Wingfield said, lawyers will call it a use of force, which is unlawful, or an armed attack, which is not unlawful but is so damaging that it permits an armed response. If people are dead or injured in a cyberattack – or a significant amount of property is damaged – that is the equivalent of an armed attack, and countries may respond. “A common misconception is that cyberattacks or cyber-intrusions require a cyber-response. That’s something we can do, but we don’t have to do it,” Wingfield said. Governments often prefer to retaliate in covert or clandestine ways, and journalists should try to distinguish between them. “Covert means that the target never finds out that your government was behind whatever that action is. Clandestine means that the world never finds out about it, but it’s crystal clear to that [target] government,” he said. “And you want to have that kind of private deterrence… Not only is it surgical, but it also really cuts back on the danger of escalation, because the country no longer has to play to the world audience. No one knows that they’ve been gotten except for themselves. So it’s an excellent tool for presidents to have in case they need it.”
➃ Consider the possibility of “false flag” attacks. Pirate ships once flew false flags to sneak up on their targets, and now cyberattackers do the same, said Welburn. In 2015, a group calling itself the “Cyber Caliphate” took down a French TV network. It was later discovered that the attackers were Russian government hackers, not ISIS sympathizers. Six years later, investigations move faster, but it can still take weeks to determine whether a cyberattack was conducted by a nation-state, a criminal group, a hack-for-hire outfit, or some combination. Reporters should try to learn whether the motive for a hack is espionage, intellectual property theft, profit, political embarrassment – or all of the above.
➄ Congress is considering “hack-back” laws that would allow private companies to retaliate after cyberattacks. At the moment, a company that finds a hacker group inside its systems can kick them out, but some lawmakers argue that if a U.S. company such as Microsoft is attacked, it should have the legal right to hack back. “This is going to go up for debate, and I think there’s plenty of pros and cons to argument, probably more cons than pros,” Welburn said. Taking a page from old maritime laws that gave armed privateers “letters of work and reprisal” to chase down pirates and recapture their bounty, private companies might also be allowed to track down hackers to recover ransoms, if they share what they learn with the U.S. government, Welburn and Wingfield said.
*You may also like: Cybersecurity Villains and Superheroes and Russian Disinformation 2021
Speakers:
Jonathan Welburn, Operations Researcher, RAND Corporation; Professor, Pardee RAND Graduate School
Thomas Wingfield, Senior International and Defense Researcher, RAND Corporation
This program was funded by Microsoft, the RAND Corporation and donations to the National Press Foundation. NPF is solely responsible for the content.
