A woman writhes on a gurney in the back of an ambulance racing to get treatment for her aortic aneurysm. The paramedics radio to the closest hospital to announce their impending arrival. But they’re told the hospital is in the grips of a ransomware attack, critical systems are offline, and they can’t accept new patients. The heart patient would have to go elsewhere. That meant an hour-long drive to the next comparable facility. And by the time she was able to receive treatment, the woman died.

This isn’t hypothetical. This exact scenario happened in Germany in September 2020. And when it did, numerous voices in the cybersecurity community (mine included) called it the first death to be directly caused by a cyber attack. Ransomware disabled the hospital. And if the woman had been able to receive treatment sooner, she likely would have survived her cardiac episode. Responsibility for her death seemed to fall squarely on the shoulders of the hackers behind the ransomware attack.

German prosecutors agreed. They saw in the attack an open and shut case of negligent homicide. But, under German law, in order for someone to be convicted of that crime, prosecutors needed to establish legal causation between the actions of the defendant and the resulting death. And that’s where things got tricky.

Cyber Attacks as Criminal Acts

The Computer Fraud and Abuse Act was enacted in the US in 1986 and represented the first major effort to prevent hacks through criminal law. Many other countries adopted similar laws – some later than others – but all realized early on that cybercrime needed (but lacked) an appropriate legal apparatus.

Cybercrime laws around the world have evolved and matured significantly since then. GDPR in Europe drastically raised the bar for data protection and privacy while leveling severe penalties for any infraction. California adopted a similar law, as have other US states, and the recent Strengthening American Cybersecurity Act of 2022 established sweeping cybersecurity requirements for all federal offices and many of the vendors they work with. Never has “cyber” legislation been as expansive as now, and all signs suggest this regulatory framework will only expand further.

One area where it remains immature, however, is in regard to prosecuting offenders for the damage caused by cyber attacks. Most laws measures damage (and thus assign penalties), based on the number of records stolen or the amount of downtime caused. But the law stops there. Most downstream effects of the attack are considered irrelevant.

Which makes sense. For most of history, cyber attacks have been seen as IT issues first and foremost. And while they could certainly cause plenty of damage and disruption, it was seen as confined to the digital realm. Rarely did attacks spill over into the physical world, so there was no reason to contextualize those attacks within existing criminal law.

But that’s changing fast. One example is the attack on the Colonial Pipeline in May 2021. A ransomware attack disabled one of the largest oil pipelines on the Eastern Seaboard, resulting in fuel shortages, panic buying at the pump, and changes to flight schedules due to lack of fuel. President Biden declared a State of Emergency as a result. And while the attack thankfully left no one dead or injured, it nonetheless highlights how cyber attacks can directly affect people’s health and safety. Ransomware directed at hospitals, schools, and police departments has a similar effect. And as we see hackers become increasingly emboldened and unscrupulous, future attacks won’t just disrupt data or apps – they will ruin lives.

Learning From the German Example

It’s telling what ultimately happened in Germany. After a two-month investigation, prosecutors concluded that they couldn’t meet the standard of proof necessary to link the woman’s death with the ransomware attack definitively. Prosecutors needed to show that had the ransomware attack never occurred, the woman would have lived. But after consulting with medical professionals, it was believed the woman would have died no matter where or when she received treatment. So while the ransomware attack made a bad situation worse, the heart condition, not the attack, caused the death.

Lacking any expertise in German criminal law, it seems to me that prosecutors got it right in this case. Nonetheless, it’s impossible to hear this anecdote and not think about a slightly different variation: where medical devices get disabled by ransomware, and patients dependent on those devices die. Unfortunately, it’s only a matter of time before this scenario (or countless similar alternatives) happens. And when it does, will the law be able to prosecute those behind the attack for those deaths? Or will hackers skate by on a lesser charge, signaling to others that devastating attacks don’t come with devastating consequences for the perpetrators?

Time will tell. Until then, however, I hope we draw a lesson from what happened in Germany and start thinking more about cyber attacks as attacks on people, not just IT.

#cybersecurity #ransomware #law #cybercrime #Germany #hospital

It was only a few weeks ago that I was writing about a CISA alert warning about the dangers of Iranian-government-sponsored hackers exploiting Log4J vulnerabilities to strike at varied targets across the globe. I argued that Iran’s actions illustrate what the future of cyber warfare will look like as countries increasingly strike at digital rather than physical targets to exert their influence. Hammering home that point, CISA has already issued another alert cautioning against an entirely different kind of attack perpetrated by Iranian hackers.

With this latest action, Iran has shown both a willingness to use cyber attacks to achieve their geopolitical ambitions, along with ingenuity in their methods. Of course, most countries are jockeying with each other in cyberspace, and labeling any of their motivations as “good” or “bad” probably misunderstands the pugilistic nature of international relations. Other countries are doing what Iran does – and putting even more resources behind the effort. But even with those caveats, it’s hard not to see Iran as a country both willing and able to play the role of cyber supervillain – someone who makes digital space more dangerous for everyone.

To help put that claim in a greater context, let’s take a look at the latest attack.

Attack Autopsy

Starting around May 2021, Iranian state cyber actors calling themselves “Homeland Justice” (with nationalistic flair) infiltrated the network of the Albanian government. They hid inside for the next year, maintaining continuous network access while quietly accessing and exfiltrating email content. The attackers conducted lateral movements, ran network reconnaissance, and began credential harvesting beginning in May 2022. And by the middle of that summer, they had everything they needed to launch a devastating ransomware attack. The Albanian government never stood a chance.

Ransomware was launched on their networks in July 2022, accompanied by a threatening message directed at a group critical of Iran’s Revolutionary Guard with several thousand members living in Albania. While simultaneously stealing and encrypting the data with one attack, the offenders were also wiping raw disk drives using a separate attack in a strategy orchestrated to inflict maximum damage almost immediately. Numerous government digital services and websites were temporarily knocked offline. Unfortunately, that was just the start.

Homeland Justice then created a website and social media profiles taking credit for the attacks and publishing proof. Their goal was not just to gloat. They also release the data, first posting a poll to ask what data people wanted, then releasing videos and zip files with the leading responses. So not only was the Iranian government stealing another country’s data – they were offering it up for anyone else to exploit for whatever purposes they wanted. Twisting the knife even more, Homeland Justice struck the Albanian government again in September 2022 with a similar barrage of ransomware attacks.

Understandably enraged, the Albanian government formally cut diplomatic ties with Iran – the first such response to a cyber attack. The Albanian Foreign Minister Olta Xhacka commented, “The aggressiveness of the attack, the level of attack, and moreover the fact that it was a fully unprovoked attack left no space for any other decision.”

Implications of the Attack

The technical details of the attack – plus the prevention CISA suggests – are worth a closer look, especially since Iran has been willing to attack almost any target anywhere. But in this instance, the mechanics of the attack are less interesting than the motivations behind it and the implications for future attacks.

Iran sponsored this attack ostensibly in response to the anti-government sentiment gaining traction in parts of the population. Cracking down on dissent is nothing new for governments. But doing so by launching a multi-month cyber attack on a small, distant country, bragging about it online, then offering to share the spoils has no historical precedent that I can think of. What effect this will have on the ongoing protest movement in Iran remains to be seen. No matter the outcome, though, Iran has pioneered a new way for states to undermine activist movements, and many will not hesitate to deploy similar tactics to maintain their hold on power.

I’m also struck by how this attack weaves together different tactics and techniques, combining a lengthy infiltration effort with a shock-and-awe ransomware attack followed by online data leaks and a surprise second punch. It’s devious. It’s also a little bizarre in its determination. I’m sure an Iran expert could give some important context into why Iran hit Albania so hard. But when they felt compelled to do so, they had both the means and the certainty of success – how many attacks between nation-states can say the same thing?

What will Iran do next? Even if you don’t agree with my “cyber supervillain” characterization, it’s a question everyone’s wondering. And given recent events, they should probably be worrying about it too.

#iran #cyberattack