Ransomware Law and Policy. (2023)

Quote link/page

INDEX. INTRODUCTION 1179II. THE 1183A RANSOMWARE PROBLEM. Definition of 1183B ransomware. Existing Regulations and Limitations 11861. National Law 11862. International Law 1192C. The causes of the insufficient application of ransomware 11961. Information asymmetries 11962. Contentious jurisdiction 11973. The tragedy of the commons 12004. Administrative deficits 12005. Forensic and diplomatic challenges 1202III. REDEFINITION OF THE CRIME OF RANSOMWARE 1203A. Ransomware and the ban on Hostis Humani Generis 1203B. Prohibition by extension and analogy by contract design? 12051. New International Instrument 12062. Analogy and Extension 1207IV. BUILD THE 1210A RANSOMWARE ENFORCEMENT TOOLKIT. Naming and Shaming Host States 1211B. Extraterritorial Execution and Indictment 1212C. Improving home cybersecurity 1213V. CONCLUSION 1215

INTRODUCTION

On June 10, 2019, the quaint town of Lake City, Florida suffered a major ransomware attack that wiped out most community activities and services. (1) A city employee opened a malicious email containing a compromised document that infected city computers with ransomware. (2) At 7:30 am, “the computers weren't working and the phones weren't working either. Even cell phone contacts were wiped... Almost all city systems, including water and gas payment systems, were rendered unusable. Photocopiers also connected to the computer network were not working." (3) With approximately sixteen terabytes of information effectively blocked and online payment systems inoperative, the city was caught by surprise. (4) City officials were forced to to “Paper receipts and handwritten building permits.” (5)

Ransomware attacks are designed to deny access to a computer system or data, usually through encryption, until the victim pays extortion payments to the attacker. (6) The ransomware used in the Lake City attack was the Ryuk malware. (7) According to the UK's National Cyber Security Center (NCSC), "Ryuk was first seen in August 2018 and was responsible for multiple attacks around the world." time after initial infection is observed, from days to months, allowing time for the [malicious] actor to perform reconnaissance within an infected network and identify and target critical systems on the network, thus maximizing impact of the attack". (9)

Days after the initial infection, a ransom demand reached Lake City authorities like clockwork. First, the city tried to get its systems fully operational again with the help of the Federal Bureau of Investigation (FBI) and a consulting firm (10) hired by its municipal venture group, the League of Florida Cities. (11) Unfortunately, Lake City, like many other cities in America, did not dedicate sufficient resources to cyber security and lacked basic resources that could prevent its computer networks from becoming vulnerable to this attack or, at least, allow a recovery Faster. (12) In fact, two weeks after the incident, the city manager made the decision to remove the city's Director of Information Technology (IT) for omissions related to the incident. (13)

Unable to restore network functionality, the city risk group hired a commercial ransomware company called Coveware, which contacted the hackers and reduced their ransom demands to eighty-six bitcoins (about $700,000 according to the exchange rate at the time) for forty-two bitcoins (approximately $460,000), of which the city only paid the $10,000 deductible, while the league of cities paid the rest. (14) Ultimately, even with the encryption key provided by the hackers, each terabyte of encrypted data took "about 12 hours to recover" and nearly "a month after the attack," the city still hasn't been able to get back on track. complete operations. (15) In addition, the city's own budget reports indicated that, in addition to the ransom, the city incurred $350,000 in expenses related to the ransomware attack, as well as other costs related to equipment and software to update system security and IT infrastructure across the countryside had to pay for the city. (sixteen)

Lake City is not alone. From a utility company in India (17) to the Royal Zoological Society of Scotland (18) and the judicial system of the state of Rio Grande do Sul in Brazil (19), ransomware is everywhere and everywhere. In the United States, ransomware is so widespread that it has been identified as a national security issue, leading to the involvement of the US Cyber Command and National Security Agency being activated. (20) In recent years, ransomware attacks have targeted a regional hospital in Indiana, (21) a school district in Michigan, (22) a courthouse in Texas, (23) and a port in California. (24) Lady Gaga isn't immune either. (25)

The problem has become so widespread that comedian John Oliver devoted a section of Last Week Tonight to it, noting that the threat has gone from being a "trickle to an absolute flood." (26) Ransomware is not only increasing in number, but also in severity. In 2016, hackers perpetrated around 4,000 ransomware attacks worldwide every day, an already alarming number. (27) However, by 2020, "attacks have leveled off at 20,000 to 30,000 per day in the US alone." (28) That's one ransomware attack every eleven seconds, (29) each costing victims an average of nineteen days of network downtime and a payout of more than $230,000. (30) In 2021, the global cost associated with ransomware recovery exceeded $20 billion. (31) Some now predict that, by 2031, ransomware will cost victims "approximately $265 billion (USD) a year...with a new attack (on a consumer or business) every 2 seconds." (32)

This article provides an overview of the regulatory challenges related to ransomware prevention. Part I of this article, embedded in the broader literature on non-compliance, examines the root causes of limited criminalization, law enforcement, and international cooperation that have exacerbated this nasty cybersecurity problem. Specifically, the article examines the forensic, administrative, judicial, informational, and resource allocation challenges that have plagued the fight against digital extortion of the global commons.

To address these challenges, Part II of the article makes the case for the international criminalization of ransomware. Citing existing international regulations, namely the 1979 Hostage-Taking Convention, the 2000 Transnational Crime Convention, and standard prohibitions on hacking and terrorism offences, the article states that certain types of ransomware attacks are already criminalized. as a crime under existing international law. In fact, the article draws on each of these case studies to describe the criminalization of ransomware as the "fourth generation" ban on hostis humani generis (enemies of humanity).

Finally, Part III of the article outlines the various possibilities that can arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The article focuses on three immediate consequences that can result from such internationalization: (1) escalation of policies to designate and shame safe-haven states, (2) authorization of extraterritorial enforcement and cyber processes, and (3) further development of home security empowerment strategies. government cybersecurity.

II. A RANSOMWARE PROBLEM

A. Definition of ransomware

Ransomware is a type of malware that targets data with the intention of making it permanently inaccessible through encryption or by threatening to reveal it unless a ransom is paid. (33) Ransomware proliferation methods range from compromised mobile apps to infected websites or email attachments. (34) Recently, a significant number of attacks have been carried out via a "remote desktop protocol... that does not rely on any form of user interaction." (35)

Hackers often demand payments in cryptocurrencies, as they are less regulated and harder to control under existing anti-money laundering laws. (36) In particular, the application of "Know Your Customer" and other "customer identification methods" is hampered by the decentralization and anonymity associated with these digital currencies. (37)

Ransomware attacks come with deadlines. “If the victim decides to miss the deadline, the attackers increase the price or remove the decryption key.” (38) Furthermore, the ransom payment does not necessarily terminate the transaction. “Some programs also infect other devices on the network, making new attacks possible. Other examples of ransomware also infect victims with malware, such as credential-stealing Trojans.” (39)

According to SOPHOS, a British security software and hardware company, "46% of organizations whose data was encrypted during a ransomware attack paid the ransom in 2021." $1 million or more." (41) Each of these payments helps fuel the criminal enterprise behind the ransomware, making it easier for new attacks. The unfortunate reality is that paying for each individual victim makes financial sense, even if it means cutting costs and forcing negative impacts on society.

Ransomware attacks target all industries and walks of life, from law firms to hospitals and academic institutions, insurance companies and police departments. But ransomware is an even bigger problem. Recently, ransomware gangs have started targeting individuals and small shops. (42) In the words of John Oliver, ransomware is now "so ubiquitous that it's hitting pipes and barns." (43) In general, hackers try to focus their efforts on victims who share two common characteristics: first, they lack the experience and resources to ensure effective cybersecurity hygiene; and second, they have inherent incentives to quickly end service interruptions and bring operations back online. (44)

The European Union Agency for Cybersecurity (ENISA) noted in its 2021 Annual Threat Landscape Report that “Ransomware has increased in frequency and sophistication… they belong. (45) ENISA went even further, implying that we now live in the “golden age of ransomware”, that it “has become a national security priority” and that it “has not yet reached its peak of impact”. . (46)

B. Existing regulations and their limitations

In light of this evolving threat landscape, it is sobering to realize how fragmented and patchy global and national regulatory responses have been to date. In this subsection, I will review both existing national laws in the United States (the main target of ransomware attacks (47)) and international laws.

1. Domestic law

Within the limits of this article, I cannot provide a complete description of all the US national mechanisms for regulating and enforcing ransomware. Instead, I would like to highlight two main concerns: (a) irregular and inconsistent state legislation; and (b) ad hoc and indecisive federal compliance. Together, these two factors create an environment in which ransomware gangs continue to thrive.

a. Incomplete and inconsistent state legislation

A handful of states have enacted laws criminalizing aspects of ransomware. For example, [Section] 523 of the California Penal Code makes it a crime to "insert ransomware into a computer, computer system, or computer network" if the intent is to "extort the property or other consideration of a third party" and if "such property or another consideration has really been earned." (48) Compare the California law with [Section] 33.023 of the Texas Penal Code. In Texas, it is a crime for an individual to "inadvertently insert ransomware into a computer without a computer network or computer system for legitimate business purposes." (49) Note the difference between the two statutes. While in Texas it is generally sufficient to simply "drop" ransomware malware onto a device, in California the requirements are much stricter, requiring both "Blackmail Attempt" and the actual acquisition of "property or other consideration" due to the bribery. These differences are significant as they create real gaps in the way offenses are defined and ultimately can be applied across all states. (fifty)

In addition, all fifty states have data breach notification laws that require notification of data breaches to the appropriate state regulators and, in certain cases, to affected consumers. However, reporting requirements differ at the state level. Specific terminology around what constitutes a trigger event can lead to the exclusion or inclusion of ransomware attacks in the definition of a data breach. This is especially true if the ransomware attack did not involve data exfiltration or other forms of unauthorized access or acquisition (note that in traditional data encryption cases, the hacker does not access or hijack the files that are located on the rest of the original computer - the hacker simply locks these files with an encryption key). (51)

States are also the primary regulators of insurance law. So far, only one state insurance regulator, New York, has attempted to regulate cyber insurers on ransomware issues. On February 4, 2021, the New York Department of the Treasury, led by Superintendent Linda Lacewell, introduced the first national regulation of cyber insurance in the United States. (52) The circular contained only one specific requirement: policyholders must report ransomware attacks to law enforcement authorities. (53) However, as I have written elsewhere,

A government regulator cannot handle such a class action problem on its own. The race to the bottom will continue if miscommunication remains the norm outside of New York State. It is best to leave this issue to federal regulation, not the state. The circular also says nothing about the body to be reported on or the scope of the report. The reality is that the state cannot enforce disclosure on federal agencies over which it has no authority, nor can it be sure that, once notification is sent, it will be captured and effectively enforced. A notification policy is only as good as the resulting enforcement action. State and local law enforcement agencies are certainly incapable of dealing with the threat of global cybercrime and cyberwarfare, highlighting the futility of reporting. (54)

Finally, states are also divided on how they govern the public's response to ransomware attacks. North Carolina was the first state to pass legislation prohibiting ransom payments by public entities such as state agencies, counties, and municipalities. (55) North Carolina also prohibited dealings with hackers. (56) Florida passed similar laws prohibiting the payment of ransoms. (57) But while North Carolina includes public school districts and universities on its list of public entities prohibited from paying a ransom, Florida law does not. (58) Also, unlike North Carolina, Florida law does not prohibit communication with hackers. (59) As some professionals have pointed out,

[m]More legislation of this nature may be on the horizon as Pennsylvania and New York consider similar mandates. The Pennsylvania proposed legislation would give authorities a tight deadline to report the ransomware attack to the appropriate state authorities within two hours and would prohibit the use of taxpayer money for ransomware payments, except in certain circumstances in which the Governor approve the payment. The New York legislation, if enacted, would prohibit ransomware payments not only by public entities, but also by private companies. (60)

State laws criminalizing ransomware, data breach notification laws, cyber insurance regulations, and ransomware payment bans differ drastically. Because cyber damage and cybercrime know no territorial boundaries, this patchwork of conflicting government responses has weakened the ability of federal and state governments to effectively address threats and mitigate damage.

B. Federal concern for this purpose is undecided

The federal government has repeatedly recommended against paying ransoms (61) and has even warned of penalties if payments are made with knowledge of likely interference with Treasury Department sanctions. (62) So far, however, the government has not imposed any sanctions against such payments, despite the fact that state and local public agencies were behind the payment. (63) The FBI, for example, treated the decision to pay the ransom as a legitimate business decision and went on to say that prohibiting the payment could have dramatic consequences. (64) As an FBI official noted in a statement before the US House Judiciary Committee, “if a company has paid and now has broken the law, then a cyber adversary has an opportunity to hold it accountable to the public and threaten her with even more blackmail.” (65)

This sends mixed signals to the public and affects the ability to reduce the total number of payments made. (66) Additionally, due to the magnitude of the damage, the government can only respond to a fraction of actual cases, which discourages the public from contacting authorities. (67)

That is not to say that there have not been successes. The new Department of Justice (DOJ) Digital Extortion Task Force has taken some notable public steps. For example, in June 2021, the DOJ seized $2.3 million in cryptocurrency paid to the Darkside ransomware, and in November 2021, the DOJ seized an additional $6 million in ransom payments from two Russian and Ukrainian citizens who were behind the ransomware. REvil ransomware. (68) Some have praised what they called "coordinated anti-ransomware" by the federal government, which in late 2021 produced evidence of "recovered ransom payments, obtained decryption keys, leaked communications [and] successful multinational enforcement efforts." of the law".

The federal government also relies on extradition as a tool to bring cybercriminals to justice for ransomware attacks and related money laundering. The government relied on charges of wire fraud, access device fraud, and computer fraud and successfully attacked foreign hackers. (70) Maksim Berezan, for example, was extradited to the United States from Latvia and pleaded guilty to such charges in April 2021 after committing ransomware attacks "causing losses of more than $53 million." (71)

But despite these examples and the general optimism surrounding them, many concede that "the sheer volume of attacks means that a handful of law enforcement officers is unlikely to make a difference" as "the system is still very lucrative for let the criminals leave it." (72) In fact, as one cybersecurity researcher noted, ransomware gangs “learn from each other's mistakes and improve their [operational security]” because ultimately, even if the government works to shut them down, “they will stay here". (73)

Against this backdrop of uncertain government action and growing ransomware threats, private companies have begun to play a much more expansive role. Cybersecurity companies now offer ransomware brokerage services, and commercial cyberinsurers are connecting victims with these companies, as well as public relations and data recovery firms, with the goal of lowering the overall cost of each attack. (74) In other words, instead of cooperating with law enforcement agencies, ineffective state and federal actions have created new private markets for ransomware containment. These markets thrive by keeping the threat of ransomware alive. They are not interested in its complete eradication, nor does their business model support close partnership with state and federal agencies.

2. International Law

At the international level, basic principles and principles of international law, such as the rules of sovereignty, non-interference, and the prohibition of the use of force, do not place meaningful prohibitions on ransomware attacks. This is because international law sets high limits for the violation of any of these rules, and most criminal ransomware activities do not reach these limits.

Most ransomware attacks do not constitute a use of force within the meaning of Article 2(4) of the United Nations Charter. To constitute a use of force, a cyber attack must be comparable in its "scope and impact" to a non-cyberkinetic use of force. (75) In other words, a cyber attack must be compatible in scope and consequences with the type of damage that physical violence can cause. However, most ransomware attacks only cause financial damage and therefore have limited impact.

Also, most ransomware attacks do not violate the normal policy of non-interference. The decision of the International Court of Justice of Nicaragua defined unlawful interference as that relating to "matters in which each State... is free to decide" (76), such as "the choice of a political, economic, social and culture and the formulation of foreign policy". (77) This first element is often referred to as the retention of title requirement (the "reserved area" of the central areas of state activity). Second, Nicaragua asserts that a state must be forced to make decisions.78 The doctrine only prohibits forced interventions.

Ransomware attacks rarely represent forced intrusions into the domain reservation of the target state. Keep in mind that during most ransomware operations, individuals and companies are targeted, and no state is required to act "involuntarily" or deny an action it would otherwise have taken. (79) Even if the target is a public entity (for example, a police department or a public school) and that entity is obligated to pay the ransom, such payment still does not constitute coercion, since the decision to pay is not a of which it can be said that they fall within the domain reservation. The ransomware must disrupt political, social or economic life with direct and significant consequences. In addition, the intervention in the State and society is contained and limited and, therefore, does not reach the level of an intervention.

In sovereign terms, for ransomware to constitute an international wrongful act, it must first be attributable to a state with sufficient evidence (a challenge in itself). (80) Finally, most ransomware gangs are criminal gangs and not government agencies. The connection between these gangs and the countries in which they operate is often ambiguous, barely passing the rigorous "leadership and control" or "advocacy and recognition" tests to arrive at effective attribution. (81)

Even more worrisome, states disagree on the exact scope of sovereign equality in cyberspace, and as such, the doctrine is unlikely to be a significant ransomware limitation at this time. As summarized by Lt. Col. Visger,

[b] By choosing to treat sovereignty as a principle rather than a substantive rule, the UK asserts that violations of sovereignty are not themselves violations of international law. This position triggered the well-known sovereignty debate, in which most states rejected the UK's position and concluded that a violation of sovereignty is, in fact, contrary to a state's obligations under international law. (82)

Even when it has been established that sovereignty is a rule in itself that can be violated, it is skeptical that ransomware is a good candidate for such a violation. Are encryption and ransom demands, when made remotely over the Internet, a violation of territorial sovereignty? Do these actions interfere or occupy functions inherent to the State? Do they cause physical damage, injury, or loss of function of the kind that could be considered a trigger for a violation of sovereignty? (83) These are all difficult questions of interpretation and application that lack international consensus.

In general, international legal rules for cyberspace are "emerging and evolving." (84) So far, states are not willing to give up their own “freedom to act by adopting or developing specific provisions of international law” that could restrict ransomware activities. (85) States prefer to operate in an apparently lawless space for cyber activities, in which all offensive and defensive action is considered legal, even if the result is an inability to regulate the adversary's use of these tools to cause damage.

Even to the extent that the rules of nonviolence, noninterference, or sovereignty could be applied to a small group of particularly damaging and dramatic ransomware attacks, it would not be enough to solve the overall problem. Most ransomware will remain outside the scope of international regulations.

The same goes for certain custom rules that regulate particularly nasty ransomware attacks. For example, some have suggested that a more restrictive rule could evolve to prohibit ransomware attacks on critical infrastructure. The United Nations Group of Governmental Experts (UNGGE) adopted the standard that “[a] State [information and communication technology] should not knowingly engage in or support any activity that violates its obligations under international law and knowingly damages critical infrastructure or interferes with its use. and impair the operation of critical infrastructure to provide services to the public." (86) When President Biden met with President Putin in Geneva in June 2021, he gave Putin a list of sixteen critical infrastructure facilities that were " "bans" of Russian cyber-attacks. (87) In doing so, the administration certainly endorsed the UNGGE report, but at the same time, the directive does not constitute an outright ban on ransomware and other "limited" and tolerable ransomware attacks. This is a grotesque reality that only serves to further consolidate the practice of ransomware in most sectors and against most victims.

The Oxford Declaration on the regulation of ransomware operations took a similar approach. (88) The statement, prepared by international legal experts under the auspices of the Oxford Institute of Ethics, Law and Armed Conflict, states that "there is no place for ransomware in a healthy, peaceful and prosperous international community." (89) At the same time, the statement prevents ransomware from being ipso facto banned as malum in se (mal by that fact itself). Instead, like the Biden administration, the statement prohibits only those ransomware attacks that "result in violations of human rights," "tantamount to a prohibited threat or use of force," "violate the principles of sovereignty or do not interference" or "violate the rights of others". contrary to the states." (90) In other words, it is not the action of the ransomware itself that leads to illegality; rather, the illegality of the ransomware is determined by its nature, scope and consequences on a case-by-case basis (taking into account several general principles of international law.) (91)

In short, even the broadest interpretations of existing international law produce a patchwork of rules that can, at best, limit a handful of serious ransomware attacks, leaving the rest intact and unrestricted.

C. The causes of ransomware execution

This subsection explains the causes of ransomware misapplication under national and international law. This subsection is based on Peter Swire's excellent theoretical mapping in his 2009 article "No Cop on the Beat". (92) For the purposes of this subsection, I define under-enforcement as a situation involving "a weak state response to violations of the law, as well as victimization." (93) I conclude that there are five main causes that create a "nasty problem" of ransomware under-enforcement: (94) (1) information asymmetries, (2) conflicting jurisdictions, (3) tragedy of the commons, (4) management deficiencies and (5) forensic and diplomatic challenges.

To provide context for each of the five challenges, this whitepaper is based on a typical ransomware scenario: Ransomware Gang R1 resides in country R and runs operations against local companies in countries V and H. Victims V1, V2, V3 and H1, H2, H3 experience significant business interruption and loss of revenue. V1 and H1 have a cyber insurance policy from V1 and HI respectively. Law enforcement agencies in V and H (VLE and HLE) are tasked with preventing and curbing cybercrime.

1. Information asymmetries

Currently, there is no obligation under national law to share ransomware information across multiple lines of intelligence sharing. Victims do not need to share information with each other, either nationally (V1 to V2) or internationally (V1 to H1); V1 has no obligation to share information with V2 (much less with H1). Also, victims are not required to provide information to national (V1 to VLE) or international (V1 to HLE) law enforcement agencies. (95) If the insurance policy is activated, insurers are also not required to exchange information again with other insurers (eg between VI and HI) or with any law enforcement agencies in the matter. (96)

As Peter Swire points out in relation to cyber harm, when "a report is received by a law enforcement agency, there is no basis for knowing whether the perpetrator is a victim (the local whistleblower) or multiple victims (mainly residing in other jurisdictions). ).”(97) Furthermore, the lack of reporting and information-sharing requirements means that the broader national security community, including law enforcement, “is unable to utilize the full range of skills and knowledge in its efforts to fight ransomware". (98)

2. Conflict of jurisdiction (99)

Our perpetrators in the scenario are a hacker gang located in country R, far away from the victims (located in V and H). This leads to geopolitical considerations that widen the enforcement gap. As Batrla and Harasta write,

[T]he ransomware attacks were primarily directed against North American and European targets. Most ransomware attacks have been described by various sources as having been launched by cybercriminals in Russia and other Commonwealth of Independent States (CIS) countries: 15 of the top 25 ransomware groups as of mid-2021 are believed to have been headquartered there... Evidence suggests that these countries were unwilling to intervene as long as threat actors followed basic precautions regarding local targets or assisted government intelligence and [law enforcement agencies] (100)

When a country harbors ransomware gangs and refuses to take enforcement action against them, that country is abusing its sovereign privileges. In other words, the placement act is an act of extension of judicial protection to protect offenders from the coercive measures of victim states. (101) International law is agnostic about how sovereigns use (and abuse) these privileges. As the Permanent Court of International Justice put it in the Lotus case in 1927: "[The] first and most important limitation imposed on a State by international law is that, unless there is a provision to the contrary, it may not exercise its powers in any way within the exercise of the sovereignty of another State.”(102)

Applying the Lotus case, the “stronger view” of international law is that any non-consensual access by a law enforcement agency to data “stored on a server located in the territory of another State constitutes a violation of the territorial integrity of that State. "Express." (103) This legal view has been endorsed by courts, (104) governments, (105) academics, (106) and certain treaty regimes. (107) The logic behind this interpretation is quite clear: “As a consequence of state sovereignty, it is generally recognized that officials of one state cannot exercise their functions in the territory of another state without its consent”. (108)

As a result, countries are prevented from engaging in unilateral and non-consensual cross-border cybersecurity enforcement operations (including certain operations to seize cryptocurrency or discover the location and identity of the ransomware gang) due to doctrinal, positivist views and formalists of the law. International. members). (109) This includes the use of offensive cyber operations to disrupt the ransomware ecosystem (eg, hacking servers and devices, gathering intelligence, and accessing specific ransomware networks). At least one group of academics believes these operations have real-world implications, as they affect the bottom line of ransomware groups, causing "infrastructure recovery, internal security costs, reputational damage, and even increased member stress, employee layoffs" and more groups. ", which dissolve completely." (110)

Since all extraterritorial cyber enforcement actions are considered illegal and contrary to international law under current doctrinal understanding, victim states are simply paralyzed. The host state can continue to host with impunity, and societies are forced to bear the costs of continued crime. (111)

3. The tragedy of the commons

(Video) Cybersecurity Law and Policy: What Are the Top Issues for 2019?

In the social sciences, Garratt Hardin's "tragedy of the commons" refers to a situation in which individual and independent users act against the common good solely for their personal interests. As stated above, given the scale of the ransomware problem, no local entity can meet this challenge alone. With limited prosecution resources and where most victims and perpetrators are outside their own jurisdiction, it's easy for police to dump the can on the street and drag their feet hoping someone will take care of the problem. (112) Thus, the cyberspace share is increasingly infested with hackers trading ransomware with no one willing to invest to stop this threat. Peter Swire has shown how "someone else's problem" manifests itself in cyber enforcement cases to create a community problem:

Prosecuting the distant perpetrator will also be a lower priority than a matter of public decision: the perpetrator is likely to gain more local recognition when all the victims are on the scene, rather than making a case against a perpetrator who primarily harms people outside the scene. place. . country jurisdiction. Therefore, if enforcement is spread across many local jurisdictions, we would expect a classic common effect: rational local authorities would focus on local impacts, leading to under-enforcement of the system as a whole. (113)

4. Leadership deficits

Most law enforcement agencies lack the necessary human, administrative, and technical resources to respond to the ransomware challenge. I call this "deficit management."

In recent years, ransomware operations have evolved towards a business model focused on ransomware-as-a-service (RaaS). (114) RaaS is an established industry within the ransomware business, in which operators “rent their malware creations to others for a fee or offer subscriptions, either a monthly contract or a portion of successful extortion payments. "(115) RaaS allows crime to spread. Hackers no longer need to develop their own criminal platforms. All they can do is buy minutes on existing RaaS platforms to target hundreds of victims at a time, knowing that at the same time fewer will pay for it.(116) This is combined with underground forums on the DarkNet, which help to "lower the barrier to entry" and "provide a market-friendly and social infrastructure for cybercriminal communities, including advertising, selling for the first time, the recruitment and exchange of information, penetration tools and experience.” (117) In contrast to the use of private messaging applications, these forums allow for "scalability, accessibility, inherent trust and reputation mechanisms (such as posts, transactions, deposited cryptocurrency) or user recommendations."

Given the for-profit nature of RaaS and the difficulty of tracing and prosecuting operators, it is not surprising that law enforcement agencies face a scalability problem. In our hypothetical story, the VLE and HLE do not have the resources to simultaneously combat hundreds of crimes occurring at the same time. So while crime has increased, responses have not. (119) As a result, victims often call the authorities and receive limited and partial assistance for their problems. (120) Therefore, they have no incentive to communicate with the authorities in the future, further increasing the information asymmetry.

5. Forensic and diplomatic challenges

Evidence collection challenges, attribution issues, and varying degrees of technological sophistication and law enforcement expertise also hampered the ability to effectively respond to this crime. The duality of this threat, which has the appearance of a national security issue (which can only be addressed by national security agencies and structures) but has local repercussions as a domestic crime, makes it a unique threat.

This is not the first time the United States has faced a threat that blurs the line between national security and domestic crime. Consider, for example, the long-running kidnappings of US corporate CEOs in Latin America in the 1980s. Ed Meese, then US Attorney General, considered banning kidnap-and-ransom insurance, as some argued that "having insurance actually increases the likelihood of kidnapping." . (121) Ultimately, Meese decided not to ban the show, fearing that the ban would make it more difficult to "contact the authorities." (122) This is because compensation under the policies was conditioned on reporting to the FBI. In fact, the insurers turned to the FBI to negotiate with the hijackers and work diplomatically with the relevant foreign countries to ensure the safe release of the hijackers. (123) In other words, forensic and diplomatic challenges meant that both victims and insurers were encouraged to work with law enforcement to resolve these crises.

The ransomware problem no longer requires victims and their insurers to go through the government. While physical kidnappings have required intergovernmental coordination in support of release and recovery efforts, there is no physical element that requires a government role in crisis management when everything is digital and everything seized is data. Entering the fray are private security startups led by former US intelligence and cyber experts bringing the same national security expertise that was once a complete government monopoly. (124) The result is that insurance policies no longer require reporting to law enforcement or government cooperation, further exacerbating the information asymmetries discussed above. V1 and VI can work together to exclude government and therefore exclude law and order.

These five challenges demonstrate the need to develop international and transnational responses to ransomware. These responses could more effectively address scalability issues, common and jurisdictional issues, and identified information gaps. The next part begins by outlining possible models for such intranational regulation.

third REDEFINING THE RANSOMWARE CRIME

A. Ransomware and the ban on Hostis Humani Generis

In the run-up to Russia's war of aggression against Ukraine, President Biden made a rhetorical lapse in trying to distinguish between a "minor" Russian invasion of Ukraine and "major incursions." (125) Part of what shocked the international community about Biden's statement was that assault is an internationally recognized crime. According to UNGA Resolution 3314, "[an] aggressive war is a crime against international peace" (126) and "no acquisition of territory or special advantage resulting from aggression is or will be recognized as lawful." (127) The consequence of this is that "[no] consideration of any kind, be it political, economic, military or otherwise, can serve as a justification for aggression." (128)

Aggression is malum in se (evil itself). It is defined by a baseline of illegality. It is not the only crime of this type, there are other international crimes that have been outlawed by the international community due to their uniqueness. Perhaps we can speak of three generations of such crimes:

Generation 1: Piracy on the high seas and the slave trade

Generation 2: Hostage-taking and aircraft hijacking

Generation 3: Cross-border organized crime and terrorism

Maritime piracy, hostage-taking, aircraft hijacking, transnational organized crime, terrorism, and now ransomware share several key characteristics: (1) they are all threats to the national movement of goods, services, and people; (2) they all rely on national legal systems to prosecute criminals; (3) they all have transnational components that go beyond the purely domestic environment of a state, which complicates confidence in the application of national law; (4) all involve violations of the fundamental and universal human values of freedom; (5) they all imply relatively low costs to continue the attacks; and (6) all result in large-scale mass victimization due to the indiscriminate nature of the attacks, which shocks the conscience of the international community. (129)

In this sense, the international criminalization of ransomware can obviously derive its legitimacy and internal logic from the previous three generations and become a kind of digital fourth generation of international criminalization and ostracism of these “enemies of humanity” (genus hostis humani). (130) Indeed, it seems true that in all previous generations "the concerted action taken by the world community to suppress these crimes" has demonstrated the power and scope of the "international legal order". " (131) By traveling back in time, one can anchor ransomware prevention strategies with other previously tested and recognized frameworks. It is crucial that regulators learn from the past and contemporary history of different generations of Hostis humani generis crimes and their ostracism , allowing us to gain new insights and perspectives on an emerging crime based on parallel stories.

B. Prohibition by extension and analogy or by contract design?

Previous studies are rich in examples showing the connections between different generations of crime. The literature is replete with books that examine, for example, the relationship between kidnapping and piracy, (132) terrorism and piracy, (133) or terrorism and organized crime. (134) A review of this scholarship and the relevant treaties and practices related to these crimes reveals a number of requirements. These "prohibition principles" are common to all generations of crimes and should be part of any future ransomware ban: (135)

(1) Principle of proclamation: The international character of the crime is proclaimed and justified, thus elevating it to the category of international crime. (136)

(2) Penalty Principle: States have an obligation to establish clear laws and other enforcement measures that, in accordance with their domestic law, impose “severe and effective sanctions” on offenders and increase deterrence. (137)

(3) Principle of universal jurisdiction: affirms the right of each state to arrest the offender wherever he is found and to prosecute and punish him for the crime, regardless of where the crime was committed or felt.

(4) Principle of prosecution or extradition: States are obliged to prosecute or extradite (aut dedere, aut judicare) criminals found in their territory.

(5) Principle of cooperation: States have the obligation to cooperate and provide mutual legal assistance in all criminal matters related to the offence.

To criminalize ransomware internationally, lawmakers need to engage in a process of adopting these principles and recognize them for the ransomware crime. This process can be done in two ways: through specialized regulation (development and adoption of a new international instrument on ransomware) or through an inductive process based on existing instruments. Given the number of international treaties covering all previous generation crimes, it might be possible to apply some of them by analogy and by extension to different categories of ransomware. This subsection examines each of these options.

1. New international instrument

The 1960s and 1970s were a period of growth in new contract development. In fact, in the days before the kidnapping conventions were passed, the framers of these treaties strongly believed that the problem could not be adequately addressed through habit formation. They considered the habit "too slow and burdensome for global security needs." (138) For this reason, contract-based instruments were preferred. The conventions were seen as the fastest and most personalized mechanism to promote the rule of law and prevent and prevent airborne hostage-taking.

The world has certainly changed since then, both in terms of domestic politics in the United States and the broader strategic competitive landscape on the world stage. It is now considered virtually impossible to develop an international tool, certainly not on a subject as sensitive as cybercrime, and certainly not at a time when Russia's invasion of Ukraine has revived Cold War political shenanigans.

However, it is also true that on December 27, 2019, the UN General Assembly approved Resolution 74/247 on "Combating the use of information and communication technologies for criminal purposes", which began a process to develop a Comprehensive Global Agreement on Cybercrime Sat. (139) On May 26, 2021, the United Nations General Assembly adopted resolution 75/282, which allows for the preparation of a full draft and its submission to the General Assembly in time for its seventy-eighth session (which starts in September 2023 and ends in September 2024) fix). (140)

The planned congress is already meeting resistance. More than forty digital rights organizations and experts have warned that a proposed convention poses a threat to human rights. (141) The EDPS expressed concern that, unless explicitly addressed, there is a "significant risk that the final text of the Convention may lead to an impairment of the fundamental rights and freedoms of natural persons provided for in the legislation of the EU, in particular your rights to data protection and privacy.” (142) Others have cited Russia's leadership in promoting this treaty as evidence of its improbability. These commentators suggest that it is "difficult to imagine how Russia could participate in good faith in negotiations for a legally binding cybercrime treaty against the invasion of a sovereign nation-state” (143) (alluding to the Russian invasion and annexation of parts of Ukraine in 2022).

Even if the convention never comes to fruition, the process of its development may have a function of its own. Discussions about the scope and wording of the new treaty could become a diplomatic epicenter for standards talks of the kind advocated in this article. Furthermore, even if a comprehensive and universal regime is not within reach, a club model may provide a stopgap solution in which the United States and like-minded people take the first step in introducing the domestic crime of ransomware in the hope of the regime ends. be adopted by a sufficiently strong number of states.

2. Analogy and extension

As stated above, ransomware overlaps, at least in part, with a number of other crimes covered. These include (1) the 1979 International Convention against the Taking of Hostages, (2) the 1988 Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation, (3) the 1997 International Convention for the Suppression of Terrorist Attacks, ( 4) the international Convention of 1999 Convention for the Fight against the Financing of Terrorism, (5) the United Nations Convention against Transnational Organized Crime of 2000, (6) the Convention for the Suppression of Illicit Activities in Relation to Aviation International Civil Law of 2010 (Beijing Convention) and (7) the Additional Convention of 2010 Protocol to the Convention to Combat the Unlawful Seizure of Aircraft. (144)

Applying these contracts to ransomware could open the door to significant compliance opportunities. By selecting relevant provisions for strategic application (145), new obligations may arise, both to restrict refugee states and to strengthen victim states. Litigation options can also be generated. While it is beyond the scope of this article to provide a full discussion of each of the treaties and frameworks listed above, I will examine a few anecdotally to provide insight into the proposals put forward by the article.

The International Convention against the Taking of Hostages defines the act of “taking hostages” in Article 1. It says:

[a] person who seizes or detains another person (hereinafter referred to as a “hostage”) and threatens to kill, injure or detain him/her subsequently in order to coerce a third party, i.e. a State, an international intergovernmental party Any organization, natural or legal person, or group of persons, who undertakes or fails to comply as an express or implicit condition for the release of the hostage, commits the crime of taking hostages ("hostage-taking") within the meaning of this Convention. (146)

Note that the "Article does not give any indication on the form of apprehension of detention" (147) and that many means, in addition to the use of force, that help to maintain the apprehension or detention, "may be sufficient to cause such behavior within the scope of this Convention." (148) Returning to our reference scenario, we can examine this test case by slightly adjusting the facts. What if the attacked V1 was a hospital and what if the R ransomware attack lock a certain patient in the operating room while doctors outside the room couldn't help her? At that point, ransomware could cause further delays in surgeries and ultimately lead to death.(149) states issuing emergency declarations 0) What if hackers learned of the possible gas shortage and directed their attack to restrict the movement of certain people, or instead of a gas line, they s hackers attacked a plane and forced it to stay on the runway for hours with passengers on board. The wording of Article 1 can be expanded to cover some outcomes that arise from all of these scenarios. Finally, astute litigants might try to argue that each scenario demonstrates a broader form of Article 1 “stop.”

Such an interpretation could have dramatic consequences, since under Article 16 of the International Hostage Convention, disputes over the Convention can be referred to the International Court of Justice (and since both the United States and Russia are parties to this treaty without reservations, this could theoretically lead to a potential case in the future).

As a second analogy, compare the usual prohibition of terrorism with the crime of ransomware. “Terrorism” is defined as encompassing three key elements:

(i) commit a criminal act (such as murder, kidnapping, kidnapping, arson, etc.) or threaten to do so;

(ii) the intent to instill fear in the public (which would generally result in the creation of a public danger) or to compel, directly or indirectly, any national or international authority to take or refrain from taking any action; Y

(iii) when the action involves a transnational element. (151)

Based on this definition, certain types of ransomware attacks can be considered a form of terrorism. Consider the organized group R1 that operates with political motives or connections to the intelligence apparatus of country R. If the attack is directed at a public service (such as a bank or a railway) knowing that its disruption will instill fear in the population, it certainly exists. the possibility of characterizing the act as terrorism.

A final analogy can be found in the wording of the United Nations Convention against Transnational Organized Crime. Article 2(a) defines an “organized criminal organization” as

(1) a group of three or more individuals not formed at random;

(2) exist for a specific period of time;

(3) acting together to commit at least one offense punishable by imprisonment for a period of at least four years;

(4) obtain, directly or indirectly, any financial or material advantage. (152)

This definition is perhaps the most accurate, since almost all ransomware attacks are launched by gangs that easily meet these requirements.

A specialized international regime to regulate ransomware crimes remains the best solution to the problem of ransomware under-enforcement. However, given the current political instability, it is highly unlikely that a ransomware deal will be written and approved in the near future. Hopefully, the three examples above show that there are other solutions to regulating ransomware, including the analogy and extension of using existing contracts and usual frameworks.

IV. STRUCTURE OF THE RANSOMWARE ENFORCEMENT TOOLKIT

This final part of the article examines the implications of recognizing ransomware as an international crime. It will specifically address three areas of development that can help close the ransomware enforcement gap by directly addressing some of the root causes of ransomware as detailed in Part I. In particular, I will consider the following likely impacts: (1) expanding the port state designation of ransomware and shaming policies, (2) authorization of extraterritorial cybersecurity and law enforcement enforcement, and (3) further development of strategies to strengthen national cybersecurity.

A. Naming and shaming of port States

The problem with existing international bodies tasked with regulating cyberspace, such as the UNGGE and the UN Open-Ended Working Group, is that they have so far failed to generate a broad enough consensus for their conclusions. In fact, these discussions have not led to an agreement on the details of the application of each standard of responsible behavior in cyberspace. (153) Since ransomware crime is likely to focus only on private individuals and gangs, if negotiated effectively, it could perhaps be an easy fruit for government-to-government negotiations. This is because criminalization is unlikely to be a barrier to national cyber activities. (154)

Also, changing the terminology around ransomware from a domestic crime to an international crime, along with hacking, terrorism, and slavery, would play an important role. (155) This would raise the stakes in diplomatic talks and help reach broader agreement among allies on the need for deterrence and enforcement strategies against states that ignore ransomware.

In addition, it will serve the function of "condemnation" within the broader theory of cyber prosecution developed by Martha Finnemore and Duncan Hollis. (156) In other words, it will give shape and force to the "expression of disapproval" of a state that attributes ransomware operations to a host state. (157) The stronger the sentence, especially when it comes to international crimes, the more likely it is that the defendant will change his behavior. (158) In addition, sentencing helps articulate "good" and "bad" behavior and thus supports the formation of new legal rules and regulations. (159)

B. Extraterritorial execution and prosecution (160)

As discussed above, one of the biggest challenges posed by the ransomware threat is the inability of states to enforce their criminal laws against hacking groups due to court restrictions imposed by shelters. (161) By hosting these ransomware servers and networks in their territories, these states protect hackers from law enforcement actions. Knowing that victim states are unlikely to encroach on their territorial sovereignty, they are confident that this sovereignty will offer adequate protection to criminals, many of whom are their citizens.

How can we combat this form of abuse? How can we maintain the traditional prohibition on extraterritorial executions while circumventing that prohibition to allow victim states to carry out effective criminal investigations and disruptive enforcement actions? One solution emerges from examining the work of Cedric Ryngaert. Ryngaert proposed the idea of a "positive principle of sovereignty", which he described as follows: "States can apply their laws to a foreign situation to the extent that the State that has the strongest connection to the situation fails to adequately treat with it in a way that is detrimental to the regulatory interests of the international community at large." (162) If a country like Iran, North Korea or Russia provides a safe haven for hackers, and sometimes even uses them indirectly (163), then those countries should be deprived of the opportunity to abuse their sovereignty in this way. . If ransomware were recognized as an international crime, relying on sovereignty to continue defending it would be "harmful to the regulatory interests of the international community," as Ryngaert suggested. This would mean that states would finally have the right to investigate violations of their criminal laws and enforce their sentences extraterritorially, without fear of conflict with the laws of the receiving state. (164)

In addition to cyber investigation and enforcement, international ransomware criminalization can serve other important functions. Remember that "inconsistencies in approaches, definitions and sanctions can hinder international cooperation, particularly when it comes to aid." (165) Establishing an agreed definition of the ransomware crime, which could be incorporated into national law, could lead to further harmonization of substantive criminal law, at least among like-minded countries. In addition, cooperation and extradition or prosecution obligations can support the efforts of individual states to bring perpetrators of ransomware to justice.

C. Improve cybersecurity at home

Historical analysis shows the value of international criminalization of certain global crimes such as piracy, kidnapping and terrorism. In each of the three cases, the creation of international treaties and regulations has led to greater centralization and harmonization of rules, as well as the formulation of new security protocols and best practices to prevent and mitigate damage. They also helped reshape public-private discourse and partnership, as well as create new agencies and transnational partnerships, which in turn created even more opportunities for standard setting. Let's take kidnapping as a good example. At first, the problem was seen as a matter of self-help measures by individual airlines. (166) In fact, there were even scholars who suggested that the search for international legal instruments was a "serious error of judgement" (167) and that kidnapping should be treated as a "technical problem" rather than a "legal problem". . (168) Those who took this view argued that it was the role of flight technicians and professional airlines to solve the hijacking problem, not the responsibility of government prosecutors and foreign diplomats. (169)

But the process and science that led to the adoption of the international hijacking conventions held an important lesson for the participating countries. He claimed that the old way of tackling the problem, centered on the role of private companies, was in fact "sporadic, piecemeal and short-term, determined by the whims, enthusiasm, apathy and day-to-day politics of individual airlines". . and airport authorities." (170) In the previous world order, "security was an illusion" (171).

(Video) Window to the Law: Protecting Your Business from a Ransomware Attack

Ultimately, this led to what passengers today take for granted: an internationally standardized set of precautions in aircraft design, carrying out security checks at airports, and arranging flights from takeoff to landing. . Personal and baggage searches, metal detectors, and sniffer dogs were introduced through a process that began with the adoption of these international instruments. (172)

National and international programs have been formulated to subsidize and support the introduction of improved security measures at airports and on board aircraft. (173) As some researchers have noted, "[a] steady decline in kidnappings has been driven by a collective effort by affected states and the private sector, employing a cocktail of active and passive measures: all lessons for policymakers in the fight against ransomware". (174)

The development of an international agenda to combat and criminalize ransomware will unleash new forums and new public-private coalitions to promote global, unified and standardized preventive security measures, crisis management frameworks and response policies.

Additionally, the international criminalization of ransomware could affect what commercial insurers and individual victims are willing to do by triggering ethical discourse related to specific laws and regulations. You might increase the expectation of reporting to the authorities and decrease the amount of ransom payments, knowing that by paying the ransom you could be seen as an accessory to a crime against humanity. In other words, the internationalization of crime could serve as a counterbalance to the feeling of some victims that their individual interests should prevail over any community or collective interest of society. By simply defining the crime as a crime similar to terrorism or hacking, individual victims can develop an entirely different lens and internal compass for what the appropriate responses are when a ransomware attack materializes. (175) This could also lead to a healthier ransomware insurance market, a market currently suffering from rising premiums and resulting coverage gaps. (176)

CONCLUSION V

This article was produced as part of the Vanderbilt Journal of Transnational Law Spring 2022 Symposium. The title of this symposium was “The Law of Cyberterrorism”. While “cyberterrorism research and policy have stagnated in recent years” (177), I read the call for papers for symposia more broadly: as an invitation to explore interoperability between cyberattacks like ransomware and addressing terrorism. traditional. . The deeper I went into my research, the more I realized that the international crime of terrorism has a rich history that can be linked to previous generations of parallel crimes: a series of crimes that have their roots in naval piracy and air hijacking. Continuing my research, I came to the conclusion that ransomware is another link in this multi-generational family of international crimes.

Of course, proposing a “foolproof legal framework and creating an international regime to prevent and deter” international crimes like ransomware is not easy. (178) When S.K. Agrawala teaches us that "[many] political and economic factors play a role, and the efforts of nations with divergent interests must be coordinated." (179) But perhaps our best bet is to build on the achievements of the past and learn from history. Therefore, we must examine historically contextualized regulatory solutions to the ransomware problem.

Law professors like to say in their academic papers that, through their research, they discovered a new theoretical framework that changed the paradigm. In this paper, I claim the exact opposite of that. During my search, I did not find a new frame, but an old one. As an anecdotal example, consider the words of Douglas Burgess in his book The World for Ransom:

[I]If international terrorists are not common criminals or enemy combatants, then what are they? There is an answer. Old, dusty, perhaps anachronistic, but extremely useful and utterly accurate. Since we have a precedent, we have a law: terrorists will not only borrow the unique status of pirates as enemies of humanity... but also the equally unique measures given to states to hunt them down. (180)

My article is simply an extension of Burgess's controversial claim, extending his arguments deep into the digital age. Because ransomware gangs are transnationally organized criminals; they are terrorists; they are kidnappers; they are pirates. And, as Burgess says, once the international community recognizes this, it will have to apply the relevant law, either in terms of expanding existing treaty structures or developing new regimes based on old evidence. Looking at the world through this lens, it's no longer surprising to read a newspaper article headlined "Exclusive: US Gives Ransomware Attacks Similar Priority to Terrorism." (181) Of course the United States will, because the two crimes are one and the same.

Asaf Lubin (*)

(*) Dr. Asaf Lubin is Associate Professor of Law at Indiana University Maurer School of Law, Fellow of the IU Center for Applied Cybersecurity Research, Associate Professor of the Berkman Klein Center for Internet and Society at the University of Harvard, Affiliate Fellow of the Information Society Project at Yale Law School, and Visiting Professor at the Federmann Center for Cyber Security at the Hebrew University of Jerusalem. This work was funded by the Federmann Cyber Security Center in collaboration with the Israel National Cyber Directorate. The work received excellent feedback from participants in workshops and events organized by the University of Geneva, New York University, the Division of Cyber Policy, Strategy and Scope of the US Secret Service, the Society Project Law School, Third Way, the Berkman Klein Center for Internet and Society at Harvard University, Israel's National Cyber Directorate, Chicagoland Junior Scholars Workshop, and the Federmann Cybersecurity Center from the Hebrew University.

(1.) Siehe Patricia Mazzci, another Florida town trick pays a ransom, this time for $460,000, N.Y. TIMES (June 27, 2019), https://www.nytimes.com/2019/06/27/us/lake-city-florida-ransom-cyberattack.html [https://perma.cc/7CNR-NC3S ] (archived August 12, 2022).

(2.) Véase Florida's 2nd City in Just One Week to Pay Large Ransom to Hackers for Seized Computer Systems, CBS NEWS (26 de junio de 2019), https://www.cbsnews.com/news/ransomware -attack-lake- city - florida-pay-hackers-ransom-computer-systems-after-riviera-beach/ [https://perma.cc/VAE9-CDR7] (archivado el 12 de agosto de 2022).

(3.) Frances Robles, a city paid a huge ransom to hackers. But your sorrows are far from over., N.Y. TIMES (July 7, 2019), https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html [https://perma. cc/WT5X-2XBZ] (filed August 12, 2022).

(4.) Id.-Nr.

(5.) Antonio Villas-Boas, a Florida town, was forced to write and pay a $500,000 ransom after hackers took control of his computers, BUS. INSIDER (June 27, 2019), https://www.businessinsider.com/lake-city-florida-ransomware-cyberattack-hackers-bitcoin-payment-2019-6 [https://perma.cc/C2XS-KGMS ] (archived August 12, 2022).

(6.) The Departments of Justice, Homeland Security, and Health and Human Services define ransomware as “a type of malicious software that cybercriminals use to deny access to systems or data. The malicious cyberactor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware tries to spread to shared storage drives and other accessible systems. If the requirements are not met, the encrypted system or data will not be available or the data may be deleted. DEPARTMENT OF JUSTICE, RANSOMWARE: WHAT IT IS AND WHAT TO DO ABOUT IT, https://www.justice.gov/criminal-ccips/file/872766/download (last accessed September 21, 2022) [https:/ /perma. cc/SF95-JZKR] (archived August 12, 2022).

(7.) Siehe Catalin Cimpanu, Florida city fires IT employee after paying ransom demand last week, ZDNET (July 1, 2019), https://www.zdnet.com/article/florida- city-fires-it-employee-after-pay-ransom-demand-last-week/ [https://perma.cc/6PP6-Z2M3] (Filed August 12, 2022).

(8.) NAT'L CYBER SEC. CTR., ADVISORY: RYUK RANSOMWARE TARGETS ORGANIZATIONS GLOBALLY (June 21, 2019), https://www.ncsc.gov.uk/filos/RYUK%20Advisory%20draft%20CP%20June%202019.pdf [https:/ /perma.cc/Y6NP-YG9C] (archived August 12, 2022).

(9.) identification.

(10.) See Robles, note 3 above. The exact extent of the FBI's involvement in the case is not publicly known, but appears to have been limited to data recovery attempts. See identification.

(11.) A group of companies is a “mission-driven, non-profit organization formed by a group of local government agencies, usually within a state, to finance a company, usually by pooling or sharing that risk. The agencies themselves own and manage the pools. Technically, in most states, a group is not an insurer, does not issue insurance policies, and is not regulated by the state insurance agency, at least not to the same extent as a commercial insurer, and they are virtually indistinguishable from insurance. ". John Rappaport, How Private Insurers Regulate Public Policing, 130 HARV. L. REV. 1539, 1557--58 (2017). By one estimate, "There are more than 500 of these groups across the United States, encompassing everything, from transit agencies to counties of coverage." Jonathan G. Steiner, The Risk Pool Advantage, N.H.MUN.ASS'N (2010), https://www.nhmunicipal.org/town-city-article/risk-pool- vantage [https://perma.cc/4FGG-9A7Z] (archived August 13, 2022).

(12.) See Villas-Boas, note 5 above.

(13.) Siehe Patty Matamoros and Francesca Stewart, UPDATE: Lake City Fires Employee After Pay Ransom in Malware Attack, WCJB (June 26, 2019), https://www.wcjb.com/content/news/City-of - Lake-City-moves-Forward-after-Cyber-Attack-511802711.html [https://perma.cc/6CCQ-HL8F] (archived August 13, 2022).

(14.) Renee Dudley, The Economics of Extortion: How Insurance Companies Are Driving a Rise in Ransomware Attacks, PROPUBLICA (August 27, 2019), https://www.propublica.org/article/the -extortion-economy-how-ingurance-companies-are-fueling-a-rise-in-ransomware-attacks [https://perma.cc/6MC3-JFCS] (archived August 13, 2022).

(15.) See Robles, note 3 above.

(16.) See LAKE CITY, FLA., FISCAL YEAR 19 BUDGET AMENDMENT NO. 1, (2019), https://www.lcfla.com/sites/default/files/fileattachments/finance/page/1635 /budget_amendment_1_-_2019. pdf [https://perma.cc/65PH-A64H] (archived August 13, 2022).

(17.) See Pierluigi Paganini, Systems at Indian Energy Company Infected by Ransomware, SEC. AFF. (March 30, 2018), https://securityaffairs.co/wordpress/70836/hacking/power-company-ransomware.html [https://perma.cc/DE96-XRDN] (archived August 13, 2022 ).

(18.) See David Paul, National Trust and Edinburgh Zoo Latest Victims of Blackbaud Hack, DIGIT NEWS (July 29, 2020), https://digit.fyi/national-trust-and-edinburgh-zoo-latest-victims - de -ransomware-hack/ [https://perma.cc/9RS5-8K9U] (archived August 13, 2022).

(19.) See Garrett Thompson, Brazilian Courts Face Ransomware for Second Time in Recent Months, BINARY DEF. (May 3, 2021), https://www.binarydefense.com/threat_watch/brazilian-courts-face-ransomware-for-second-time-in-recent-months/ [https://perma.cc/USY5 - PH5K] (archived August 13, 2022).

(20.) See Julian E. Barnes, US Military Acted Against Ransomware Groups, General Recognitions, N.Y. TIMES (December 5, 2021), https://www.nytimes.com/2021/12/05/us/politics/us-military-ransomware-cyber-command.html [https://perma.cc/DF45 - WYT6] (archived August 13, 2022).

(21.) Siehe Vic Ryckaert, Hackers Salvaged Patient Data, Then Greenfield Hospital System Paid $50,000, INDIANAPOLIS STAR (January 17, 2018), https://www.indystar.com/story/news/crime/ 2018 /01/ 17/hancock-health-paid-50-000-hackers-who-encrypted-patient-files/1040079001/ [https://perma.cc/QY5F-PSBA] (Filed August 13, 2022) .

(22.) See Khristopher J. Brooks, Ransomware Attack Shuts Down Some Michigan Schools, CBS NEWS (January 2, 2020), https://www.cbsnews.com/news/ransomware-attack-shuts-down-richmond- Michigan -School-District/ [https://perma.cc/4B56-G6ZE] (archived August 13, 2022).

(23.) See Travis Bubenik, Hackers Target Texas Courts in Ransomware Attack, COURTHOUSE NEWS SERV. (May 11, 2020), https://www.courthousenews.com/hackers-target-texas-courts-in-ransomware-attack/ [https://perma.cc/Z2L5-CACK] (archived on May 13, 2020) May 2020) August 2022).

(24.) See Alfred Ng, Port of San Diego ransomware attack, CNET (Sept. 28, 2018), https://www.cnet.com/news/port-of-san-diego-hit-with -disruptive-ransomware-attack/ [https://perma.cc/53QG-4BAU] (archived August 13, 2022).

(25.) See Daniel Kreps, Celeb Law Firm Recuses Hacker Ransom as Lady Gaga Files Leak, ROLLING STONE (May 15, 2020), https://www.rollingstone.com/music/music-news/lady-gaga- hack -1000092/ [https://perma.cc/PW2Y-LRNJ] (archived August 13, 2022).

(26.) For the full segment, see John Oliver, Ransomware: Last Week Tonight, HBO (8/15/2021), https://www.youtube.com/watch?v=WqD-ATqw3js [https:/ /perma.cc/8N64-UQTG] (archived August 24, 2022).

(27.) FED. BUREAU OF INVESTIGATIONS, PROTECTING YOUR NETWORK FROM RANSOMWARE 2 (July 14, 2016), https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view [https ://perma.cc/5K63-2GLB] (archived August 24, 2022).

(28.) David Corchado, Why Ransomware Attacks Are on the Rise, INVESTIS DIGIT. (May 19, 2021), https://www.investisdigital.com/blog/technology/why-ransomware-attacks-are-rise [https://perma.cc/QA88-USUH] (archived August 24, 2021). of 2022) .

(29.) Ebd.

(30.) Ransomware lawsuits continue to rise as data exfiltration becomes common and the maze subdues, COVEWARE (November 4, 2020), https://www.coveware.com/blog/q3-2020 -ransomware-marketplace-report [https://perma.cc/4E87-R5QC] (archived August 24, 2022).

(31.) See Corchado, note 28; see also SOPHOS, THE STATE OF RANSOMWARE 2021 3 (April 2021), https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf [ https://perma.cc/HY87-WTZK] (archived August 24, 2022) (noting that on average in 2021 "only 65% of encrypted data was recovered after paying the ransom" and that the "average of bills for ransomware attack remediation considering downtime, staff time, equipment cost, network cost, missed opportunity, ransom paid, etc. was $1.85 million").

(32.) David Braue, Global Ransomware Damage Costs Expected to Exceed $265 Billion by 2031, CYBERCRIME MAG. (June 2, 2022), https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/ [https://perma.cc/7KEN - ANVK] (archived August 24, 2022).

(33.) See Lawrence J. Trautman & Peter C. Ormerod, Wannacry, Ransomware, and the Emerging Threat to Corporations, 86 TENN. L.REV. 503, 505-06 (2019) (explaining how the WannaCry virus "works by encrypting a victim's data and demanding a ransom payment in exchange for data recovery").

(34.) See EDF. COMMERCIAL BUSINESS, SMALL BUSINESSES CYBERSECURITY: RANSOMWARE. https://www.ftc.gov/system/files/attachments/ransomware/cybersecurity_sb_ransomware.pdf (last accessed August 23, 2022) [https://perma.cc/8EB6-MBZU] (archived August 24, 2022) (Description of the different methods that a criminal can use to launch a ransomware attack).

(35.) Alexander S. Gillis and Ben Lutkevich, Definition: Ransomware, TECHTARGET, https://www.techtarget.com/searchsecurity/definition/ransomware (last accessed August 23, 2022) [https://perma. cc/ JLZ8-56TG] (archived August 24, 2022). It should also be noted that attackers can use one of four different "approaches" to carry out their ransomware operations: (1) "Ransomware encryption" is the classic "ransomware attack" that involves trading and the extortion of digital currencies to access the encryption key. to decrypt the data; (2) Lock screen ransomware involves locking users out of their computers, and unlocking depends on a ransom payment; (3) "Doxfare" ransomware involves threats to release data unless the ransom is paid; (4) "Scareware" ransomware involves generating an endless cycle of pop-up notifications that prevent access to the computer or its data. The only way to prevent new pop-up windows from being generated is to pay the ransom. Each of these four attack approaches can be run on mobile devices instead of regular computers. I WOULD GO.

(36.) Siehe allgemein VANSA CHATIKAVANIJ, MATTHEW DAVIE, JOSE FERNANDEZ DA P0NTE, BRAD GARLINGHOUSE, YUSUF HUSSAIN, PAUL MALEY & SEBASTIAN SERRANO, WORLD ECON. F., NAVIGATION OF CRYPTOCURRENCY REGULATION: AN INDUSTRY PERSPECTIVE ON THE OUTLOOK AND TOOLS NEEDED TO FORMAT BALANCED CRYPTOCURRENCY REGULATION (September 2021), https://www3.weforum.org/docs/WEF_Navigating_Cryptocurrency_Regulation_2021.pdf [https://perma.cc/5MP9-BYVF] (archived August 24, 2022).

(37.) See generally id.

(38.) Andreja Velimirovic, Types and examples of ransomware, PHOENIXNAP (13.01.2021), https://phoenixnap.com/blog/ransomware-examples-types [https://perma.cc/6EU7-JLWF] (archiviert am August 24, 2022).

(39.) Ebd.

(40.) Sally Adam, The State of Ransomware 2022, SOPHOS NEWS (04/27/2021), https://news.sophos.com/en-us/2022/04/27/the-state-of- ransomware -2022 / [https://perma.cc/LZ6Y-RLRL] (archived August 24, 2022). The SOPHOS study is based on a survey of 5,600 IT experts from 31 countries. I WOULD GO.

(41.) Ebd.

(42.) See SOPHOS, THE STATE OF CONSUMER HOME CYBERSECURITY 2021 10 (July 2021), https://www.sophos.com/en-us/medialibrary/pdfs/consumer/sophos-the-state -of-consumer - home-cybersecurity-2021.pdf [https://perma.cc/HN55-QUUZ] (archived August 24, 2022) (noting that "nearly one in five consumers have had first-hand experience with ransomware" and that most ransomware attacks target people in the Northeast).

(43.) Oliver, supra note 26.

(44.) See generally Danny Palmer, Ransomware: Over Half of Attacks Are Targeting These Three Industries, ZDNET (January 31, 2022), https://www.zdnet.com/article/ransomware-over-half-of -attack - are-targeting-these-three-industries/ [https://perma.cc/3G78-TK45] (filed 24 Aug 2022) (noting that the banking, utilities and retail sectors are particularly vulnerable , but all sectors are "vulnerable to attack").

(45.) EUROPEAN UNION CYBERSECURITY AGENCY, ENISA THREAT OVERVIEW 2021: APRIL 2020-MID JULY 2021 25 (Ifigeneia Leila et al. Hrsg., 9. Aufl. 2021).

(46.) Ebd.

(47.) See Kate Birch, USA and Canada among the countries most attacked by ransomware, BUS. CHIEF (November 15, 2021), https://businesschief.com/technology-and-ai/us-and-canada-among-countries-raost-attacked-ransomware [https://perma.cc/UC2U-RG2D ] (Archived August 24, 2022) ("NorthLocker's research found that the United States is the country most affected by ransomware attacks in 2020 and 2021, with Canada in third place behind the United Kingdom. The researchers studied 1,200 companies targeted by top 10 ransomware gangs." ).

(48.) CAL. Penal Code [Section] 523. The law defines "ransomware" as "a computer contaminant...or a lock that is placed or inserted without authorization into a computer, computer system, or computer network that restricts an authorized person's access to the computer or computer system." , computer network or data contained therein in circumstances where the person responsible for placing or introducing the ransomware requests payment of money or other consideration to remove contaminants from the computer, restore access to the computer, computer system, network computing or Resolve data or otherwise the effect of contaminating or crashing the computer." Badge.

(49.) TEX. CRIME. EXPRESS. ANA. [Article] 33.023.

(50.) For other parallel legal provisions, see W. VA. CODE [section][section] 61-3C-3 to 61-3C-4; WYO. EXPRESS. ANA. [section][section] 6-3-506, 6-3-507.

(51.) Note, however, that at least in the context of the Health Insurance Portability and Accountability Act (HIPAA), the US Department of Health and Human Services for Civil Rights ("HHS OCR") issued guidance in 2016. HHS OCR stated that encryption of electronically protected health information (ePHI) was breached as a result of a ransomware attack because the ePHI that was encrypted by the ransomware was acquired (i.e., people not authorized parties possessed or obtained control of the information). Alan Brill, David White, and Aravind Swaminathan, Is a Ransomware Attack a Data Breach? attack-constitute-data-breach [https://perma.cc/BCH9-92PP] (archived August 18, 2022).

(52.) See letter from Linda A. Lacewell, Superintendent, N.Y. Status: Dep't Fin. Servs., for all licensed property/casualty insurers (February 4, 2021), https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02 [https://perma .cc/6VLW-4K76] (filed 08/18/2022).

(53.) For information questioning the effectiveness of cyber insurance regulation of ransomware notifications and compensation, see Erin Ayres, Banning Ransom Payments a 'Blunt, Potentially Ineffective' Tool: Geneva Association, FPN ADV1SEN (July 25 2022), https://www.advisen.com/tools/fpnproc/fpns/articles_new_35/P/439958803. html?rid=439958803&list_id=35 [https://perma.cc/CG38-E4NL] (archived August 18, 2022) (Quoted by the Geneva Association, the international association for the study of insurance economics: “A ban total da Más Paying ransoms or having res/insurers reimburse them can backfire, drive transactions underground and encourage ransomware attackers to engage in new and more malicious forms of extortion… The lack of cyber insurance coverage for extortion payments not only hurts policyholders, we're also doing nothing to stop the growth of [ransomware-as-a-service] that has fueled ransomware attacks").

(Video) Restoring to Backups The Legal Consequences of Skipping Post Ransomware Insurance Protocols

(54.) Asaf Lubin, Holding Evolutionary Technology, 28(1) CONN. EINS. LJ 131, 161 (2021).

(55.) Siehe Spencer Pollock and Kelly Campbell, North Carolina Bans State Entities From Doing Business With Hackers, Other States May Follow, MCDONALD HOPKINS (June 9, 2022), https://mcdonaldhopkins.com/Insights /junho-2022/NC-bans-negotiating-with-hackers [https://perma.cc/S5AK-AYHY] (archived August 18, 2022).

(56.) See ibid.

(57.) See the State Cyber Security Law, FLA. EXPRESS. [Section] 282.318 (Amended 2022).

(58.) Siehe Elise Elam and Benjamin Wanger, Florida Follows North Carolina in Banning State Agencies from Paying Ransom, BAKER HOSTETLER (July 19, 2022), https://www.bakerdatacounsel.com/cybersecurity/florida- follows-north-carolina-in-prohibiting-state-agencys-from-paying-ransoms/ [https://perma.cc/9C75-QQL7] (archived August 18, 2022).

(59.) See ibid.

(60.) Pollock & Campbell, supra nota 55.

(61.) See, p. B. CYBERSECURITY AND INFRASTRUCTURE SEC. AGENCY FOR PROTECTION OF SENSITIVE AND PERSONAL INFORMATION FROM DATA BREACHES CAUSED BY RANSOM WARE, https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf (last accessed 21 January September 2022) [ https://perma.cc/2DU3-DTP3] (archived August 18, 2022) (noting that CISA "strongly discourages paying ransoms to criminals. other criminals engage in the distribution of ransomware and /or finance illegal activities, nor payment of ransom guarantees that the victim's files will be recovered."); see also David Bisson, Mayors Say They'll No Longer Pay Ransoms Connected to Security Events, TRIPWIRE (July 12, 2019), https://www.tripwire.com/state-of-security/security-data-protection/ mayors -sa y-theyll-no-longer-pay-ransoms-connected-to-security-events/ [https://perma.cc/BV9S-BB53] (filed 18 Aug 2022) (shows that officials of the local government also used the position of not making ransom payments). The official nonpartisan organization of cities with a population of 30,000 or more has pledged not to pay a ransom in the event of a ransomware event. I WOULD GO.

(62.) See generally OFF. OF FOREIGN ASSET CONTROL (OFAC), U.S. DEPARTMENT OF TREASURY, UPDATED NOTICE ON RISKS OF POTENTIAL SANCTIONS FOR THE FACILITATION OF RANSOMWARE PAYMENT (September 21, 2021), https://www.dwt.com/ -/media /files/blogs /privacy-and-security-blog /2021 /10/ofac-ransomware-sanctions-advisory.pdf [https://perma.cc/P2DD-Z4W6] (archived August 18, 2022 ). For a review of the limited impact OFAC policies have had on deterring payments, see Kyle D. Logue and Adam B. Shniderman, The Case for Banning (and Mandating) Ransomware Insurance, 28(1) CONN. 1. LJ 247 (2022); see also Michael T. Borgia and Dsu-Wei Yuen, OFAC makes waves in fight against ransomware, but practical effects unclear, DAVIS WRIGHT TREMAINE LLP (October 1, 2021), https://www.dwt. com/blogs/privacy --security-law-blog/2021/10/ofac-updated-ransomware-advisory [https://perma.cc/R6D4-SSN7] (archived August 18, 2022).

(63.) See Logue & Shniderman, footnote 62, pp. 300-01. The authors describe OFAC's payment ban as a "limited or conditional ban" that "to date remains largely unenforced." As one of the reasons for the limited effect of the ban, the authors cite OFAC's "discretion in deciding who to incur penalties... [and] in deciding whether a violation has occurred." I WOULD GO.

(64.) Siehe Erin Ayers, Banning Ransom Payments Would Make Extortion Worse: FBI Official, FPN ADVISEN (April 4, 2022), https://www.advisen.com/tools/fpnproc/fpns/articles_new_35/P /427646848. html?rid=427646848&list_id=35 [https://perma.cc/63UV-PEZ2] (archived August 18, 2022).

(65.) Ebd.

(66.) More recently, in the wake of the Colonial Pipeline ransomware attack, Anne Neuberger, deputy national security adviser for cyber and emerging technologies, acknowledged that victims of ransomware “often face a very difficult situation that they have to do for now. ., with a cost advantage when they have no choice but to pay a ransom.” Therefore, he did not condemn Colonial Pipeline's decision to pay a $5 million ransom the day after the attack. See Jen's press conference Psaki, the Press Secretary, Dr. Elizabeth Sherwood-Randall, National Security Advisor and Deputy National Security Advisor and Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, WHITE HOUSE (May 10, 2021), https://www.whitehouse.gov/briefing- room/press-briefings/2021/05/10/press-briefing-by-press-secretary-jen-psaki-homeland-security-adviser-and-deputy-national- security-advisor-dr-elizabeth-sher wood-randall-and-deputy-national-security-advisor-for-cyber-and-emerging/ [https://perma.cc/W2AH-35PU] (archived August 18 of 2022).

(67.) See SIMON HANDLER, EMMA SCHROEDER, FRANCES SCHROEDER & TREY HERR, ATL. COUNCIL, FIGHTING RANSOMWARE: LESSONS FROM AIRCRAFT HIJACKING 10 (August 26, 2021), https://www.atlanticcouncil.org/wp-content/uploads/2021/08/IB-RANSOMWARE-3.pdf [https ://stay . cc/C6AU-6TW7] (filed August 18, 2022) (“Ransomware payments cannot be counted in binary, banned or not banned, because that action alone is insufficient and potentially harmful. What is needed is change the incentive structure for ransomware targets and give them more realistic alternatives").

(68.) See Rob Legare, Nicole Sganga, and Jeff Pegues, US Seize Over $6 Million in Ransomware Attacks, CBS NEWS (November 8, 2021), https://www.cbsnews.com/news/ransomware-attacks-united - state-6-million/ [https://perma.cc/8QEX-T79B] (archived August 18, 2022).

(69.) Ebd.

(70.) See, p. B. Conspiracy to Commit Access Device Fraud and Computer Invasions, 18 U.S.C. [Section] 371; Access Device Fraud, 18 U.S.C. [section] 1029; Computer Fraud and Abuse Act, 18 U.S.C. [section] 1030; Wire Fraud Affecting Financial Institutions, 18 U.S.C. [section] 1343; Conspiracy to commit wire fraud involving financial institutions, 18 U.S.C. [Section] 1349.

(71.) Cybercriminal in Convicted Multimillion-Dollar Ransomware Attacks in Online Fraud Schemes, US Department of Justice (March 25, 2022), https://www.justice.gov/usao-edva /pr/cybercriminal-connected-multimillion-dollar-ransomware-attacks-sentenced-online-fraud [https://perma.cc/BU9N-8PBS] (archived October 10, 2022); As another example, consider alleged Russian crypto money launderer extradited to the United States, US DEP'T OF JUST. (August 5, 2022), https://www.justice.gov/opa/pr/alleged-russian-cryptocurrency-money-launderer-exradited-united-states [https://perma.cc/C6LW-BPKZ] (filed Oct 10, 2022) (description of a "defendant extradited from Greece to face charges of operating BTC-e, an illegal bitcoin exchange that allegedly took more than $4 billion in deposits").

(72.) Ebd.

(73.) Ebd.

(74.) See Zoe Kleinman, Insurers Defend Covering Ransomware Payments, BBC (January 27, 2021), https://www.bbc.com/news/technology-55811165 [https://perma.cc/N5SJ-FYUM ] (filed August 18, 2022) (explains that insurance companies now cover ransomware payments); Rachel Monroe, How to Negotiate with Ransomware Hackers, NEW YORKER (March 31, 2021), https://www.newyorker.com/magazine/2021/06/07/how-to-negotiate-with-ransomware-hackers [ https://perma.cc/HZ6W-3LJS] (archived August 18, 2022). But see Carolyn Cohn, Insurers Run from Ransomware Cover as Losses Mount, REUTERS (November 19, 2021), https://www.reuters.com/markets/europe/insurers-run-ransomware-cover-losses-mount-2021 -11-19/ [https://perma.cc/UH7G-AVAJ] (archived August 18, 2022).

(75.) Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. USA), Judgment, 1986 I.C.J. Rep. 14, [paragraph] 195 (June 27).

(76.) Ibid. [paragraph]

(77.) Ebd.

(78.) See ibid.

(79.) NATO COOPERATIVE. DEF. CYBERNETICS ctr. OF EXCELLENCE, TALLINN MANUAL 2.0 ON INTERNATIONAL LAW FOR CYBER OPERATIONS 317 (2nd ed. 2017) [hereinafter TALLINN MANUAL 2.0].

(80.) See generally Kristen Eichensehr, The Law & Politics of Cyberattack Attribution, 67 UCLA L. REV. 520 (2020); see also JOHN SAKELLARIADIS, ATL. TIP, ISSUE SUMMARY: BEHIND THE RISE OF RANSOMWARE 8 (2022), https://www.atlanticcountil.org/wp-sedcontent/uploads/2022/08/Behind-the-Rise-of-Ransomware.pdf [https: / /perma.cc/CM6D-R5G2] (filed August 10, 2022) (“The fluidity, decentralization, and dynamism of the digital extortion market complicate the process of identifying individual ransomware actors. The relationships that characterize each ransomware group are constantly fluctuating, with individuals switching between ransomware gangs, gangs purchasing tools and services from other criminals, and different groups contributing to different elements of an attack," as cybersecurity officials recently noted in the United States, Australia and the United Kingdom").

(81.) See G.A. Resolution 56/83, ILC Article on State Responsibility for Internationally Offensive Acts, arts. 2, 8, 11 (December 12, 2001).

(82.) Mark Visger, The International Law Sovereignty Debate and the Development of International Laws on Peacetime Cyber Operations, LAWFARE (July 12, 2022), https://www.lawfareblog.com/international- law-sovereignty-international-debate-and-development-norms-peacetime-cyber-operations [https://perma.cc/NMT7-6D5Q] (archived August 10, 2022).

(83.) These questions are based on the sovereignty violation tests proposed in the Tallinn Manual. See TALLINN HANDBOOK 2.0, footnote 79 above, pp. 20-21.

(84.) Gary Corn, The role of international law in the fight against ransomware?, JUST SEC. (August 23, 2021), https://www.justsecurity.org/77845/international-laws-role-in-combating-ransomware/ [https://perma.cc/5DBZ-Y5R5] (submitted August 2021). 2022) .

(85.) Ebd.

(86.) Representative of the Group of Governmental Experts on Information and Telecommunications Developments in the Context of International Security. Transmitted by letter dated June 26, 2015 from the Secretary General to the General Assembly, 8, U.N. Doctor A/70/174 (July 22, 2015).

(87.) Morgan Phillips, Biden gave Putin a list of 16 critical infrastructure companies "closed" to cyberattacks, Fox Bus. (June 16, 2021), https://www.foxbusiness.com/politics/ biden-putin-critical-infrastructure-entities-off-limits-cyberattacks [https://perma.cc/F3BY-LQE7] (archived 8 12/12/2022).

(88.) Full disclosure, the writer helped draft the statement and eventually signed it after publication, though he disagreed with the writers on their language.

(89.) Dapo Akande, Antonio Coco, Talita de Souza Dias, Duncan B. Hollis, James C. O'Brien, and Tsvetelina van Benthem, Oxford Declaration on the Protection of International Law in Cyberspace: Regulating the Operations of ransomware, JUST SBC. (October 4, 2021), https://www.justsecurity.org/78457/oxford-statement-on-international-law-protections-in-cyberspace-the-regulation-of-ransomware-operations/ [https:/ //perma.cc/ZUJ7-UGXH] (archived August 12, 2022).

(90.) Ebd.

(91.) See ibid. Ultimately, the Oxford Declaration simply sets out a "vision" and calls on states to "commit fully" to that vision. States have yet to do so publicly, leaving international ransomware law in a vague and idiosyncratic position.

(92.) See generally Peter P. Swire, No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime, 7 J. TELECOMM. & HIGH TECHNOLOGY. L. 107 (2009) (discussing the difficulty of finding "clear and objective answers" and descriptions of social and political problems, namely the enforcement of "e-commerce, cybercrime, and Internet damage").

(93.) Alexandra Natapoff, insufficient compliance, 75 FORDHAM L. REV. 1715, 1717 (2006).

(94.) See Horst W.J. Rittel & Melvin M. Webber, Dilemmas in a General Theory of Planning, 4 POL'Y SCIS. 155, 160-61 (1973) (describing the concept of "evil problems." These are public policy problems that, unlike problems in mathematics or chess, avoid easy articulation and deny easy or definitive solutions.)

(95.) A more recent exception is the "Strengthening American Cybersecurity Act of 2022" passed in March 2022. p. 3600, 117. Kong. (2022). The new legislation requires organizations that qualify as critical infrastructure operators to report ransomware payments to CISA "within 24 hours" and report all other cyberattacks "within 72 hours." Graham Cluley, US Legislation Brings Mandatory Cyberattack and Ransomware Reporting One Step Closer, TRIPWIRE (March 3, 2022), https://www.tripwire.com/state-of-security/government/ us-legislation-brings-mandatory-cyberattack-and-ransomware-reporting-one-step-closer/ [https://perma.cc/4JTF-WV5U] (archived August 12, 2022). Note, however, that this confirms the sector protection framework for critical infrastructure discussed above, although there are no protections or obligations beyond critical infrastructure. For a more in-depth analysis see id. Another exception is the government regulation of public responses to ransomware discussed above. In fact, both North Carolina and Florida require that state and/or law enforcement agencies be notified when a ransomware attack occurs on state public facilities. See footnotes 55-59 and accompanying text.

(96.) Remember the discussion above about the New York State Cyber Insurance Ordinance as a possible exception. See footnote 52 above and accompanying text.

(97.) Swire, supra note 92, at 111.

(98.) S.REP. In it. 107-351, p. 77 (2002) (explaining that, as noted by the Senate Intelligence Committee, dealing with transnational threats "requires close coordination and information sharing between and within agencies of the intelligence community").

(99.) Parts of this section repeat analysis I found elsewhere in Asaf Lubin, The Prohibition on Extraterritorial Enforcement Jurisdiction in the Datasphere, in HANDBOOK ON EXTRATERRITORIALITY IN INTERNATIONAL LAW 1 (Austen L. Parrish & Cedric Ryngaert eds., published in 2022 ) argued).

(100.) Michael Batrla and Jakub Harasta, set the dogs free? Disruption of the Hansomware Ecosystem Through Offensive Cyber Operations, in 14TH INTERNATIONAL CONFLICT ON CYBER CONFLICT: KEEP MOVING 93, 99 (2022) (List of CIS countries as Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan).

(101.) See SAKELLARIADIS, footnote 80, p. 9 (“Russia's failure to conduct cross-border cybercrime investigations exacerbates the natural barriers associated with cross-border law enforcement. For more than a decade, major cybercrime networks have operated with impunity in Russia. Growing Numbers The Evidence suggests that many of these criminals gain immunity by collaborating with Russian intelligence and law enforcement agencies").

(102.) SS Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, to 18 (emphasis added).

(103.) Bert-Jaap Koops and Morag Goodwin, Cyberspace, Cloud, and Cross-Border Criminal Investigation. The limits and possibilities of international law 61 (Tilburg L. Sch. Legal Stud. Rsch. Paper Series. Working Paper No. 05/2016, 2014). In fact, the authors cite a manual for US prosecutors to show that even the most benign acts of remote evidence-gathering, such as making a phone call or sending a letter, "may be considered an infringement of sovereignty." I WOULD GO.

(104.) See, p. BX, Re (2009), 2009 FC 1058, para 40 (Can. Fed. Ct.); Weber and Saravia v. Germany, app. No. 54934/00 Eur. Kt. HR [paragraph][paragraph] 1, 88 (2006).

(105.) A 2013 study by the United Nations Office on Drugs and Crime summarized the views of 47 responding states on a variety of cybercrime-related topics. Two-thirds of those surveyed concluded that foreign law enforcement agencies were "not allowed" to "access computer systems or data" without relying on formal consent confirmation mechanisms, such as B. an MLA method. These countries explicitly invoked the “sovereignty principle” to justify their position. See A SHUTDOWN. DRUGS AND CRIME, COMPREHENSIVE CYBERCRIME STUDY 220 (February 2013) https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf [https://perma.cc/JA2E-CUZY ] (archived August 14, 2022).

(106.) See, p. B. Robert J. Currie, Cross-Border Evidence Gathering in Transnational Criminal Investigations: Is Microsoft Ireland the "Next Frontier"?, 54 CAN. YB INT'L. L. 1, 51 (2016) (concluding that states are still committed to a “Westphalian model” for the time being, which prohibits extraterritorial enforcement jurisdiction in cyberspace); Joachim Zekoll, Jurisdiction in Cyberspace, in BEYOND TERRITORIALITY: TRANSNATIONAL LEGAL AUTHORITY IN AN AGE OF GLOBALIZATION 341, 369 (Gunther Handl et al.."); Kevin Jon Heller, In Defense of Pure Sovereignty in Cyberspace, 97 INT 'LL.BREED 1432, 1464 (2021) ("Low intensity law enforcement operations violate sovereignty simply because they involve intrusion into a computer system located on the territory of another state"); Stephen Allen, Enforcement of the Criminal Jurisdiction in the Clouds and International Law's Enduring Commitment to Territoriality, in THE OXFORD HANDBOOK OF JURISDICTION IN INTERNATIONAL LAW 381, 409 (Stephen Allen et al. eds., 2019) (with reference to the fact that "unilateral recovery of data within the sovereign territory of another state" violates "international law" And suggests that he went on to say that any attempt to "circumvent the territorial concept of enforcement jurisdiction by referring to exclusive grounds exceptional" was "unsustainable".

(107.) The main cybercrime treaty, the Council of Europe Convention on Cybercrime (or the Budapest Convention), prohibits non-consensual cross-border access to computer data, except in very limited scenarios. See Convention on Cybercrime art. 32, 11/23/2001, 185 E.T.S. (entered into force on July 1, 2004) [hereinafter the Budapest Convention]. It should be noted, however, that Article 39(3) confirms that the Convention does not affect other rights or limitations, opening the door to a parallel evolution of common practice with respect to extraterritorial application in cyberspace. See identification. Art. 39(3).

(108.) CORRECTION (TO THIRD PARTIES) FOR FOREIGN RELATIONS. L. DE USA [section] 432, cmt. b (AM. L. INST. 1987) (further suggesting that the offended State may have the right to seek a specific remedy).

(109.) See Heller, footnote 103, p. 1468 ("[Any] remote intrusion into a computer system, even if it does not cause harm, violates the territorial sovereignty of the state in which the computer system is located").

(110.) Batrla & Harasta, supra note 100, em 114.

(111.) See ibid. in 99

(112.) See Cameron Bertron, Answering the Call: Improving Local Police Response to Ransomware, ALL. SECURE DEMOCRACY (January 14, 2022), https://secureingdemocracy.gmfus.org/answering-the-call-improving-local-police-response-to-ransomware/ [https://perma.cc/VE75 - TJJB ] (Filed August 16, 2022) (Description of a study in which researchers "called local police in the most populous city in the 50 states" for information on how to respond to a ransomware incident. The investigation found that "most local authorities do not have a clear or codified response strategy to ransomware... In general, the responses seemed spontaneous and unpredictable. These findings suggest a lack of clarity and communication at the highest levels of law enforcement on who is involved in general." are bound to remain mixed if there are no clear policies for operators and employees. There is no clear chain of command for ransomware cases. This leaves local law enforcement and victims more in the dark

(113.) Swire, supra note 92, at 113.

(114.) KONG. RSCH. SERV., RANSOMWARE, AND FEDERAL LAW: CYBERCRIME AND CYBERSECURITY 5 (2021), https://crsreports.congress.gov/product/pdf/R/R46932 [https://perma.cc/5TP5-T3DU] (archivert am 8 12.16.2022).

(115.) Charlie Osborne, Ransomware in 2022: We're All Screwed, ZDNET (22.12.2021), https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/ [https:/ /perma.cc/2ZX3-P8HT] (archived August 16, 2022).

(116.) See SAKELLARIADIS, footnote 80, point 6 (“The increase in specialization in the different stages of the ransomware life cycle is also reflected in the growth of the ransomware-as-a-service (RaaS) model)” . The core group of criminals manages a ransomware payload while outsourcing ransomware delivery to so-called "partners" of law enforcement agencies was conducting attacks. As of October 2021, eight of the top 10 ransomware groups use a partner model to carry out attacks").

(117.) Batrla & Harasta, supra note 100, em 98.

(Video) Ransomware: Legal Issues and Practical Response

(118.) Ebd.

(119.) See footnote 109 and accompanying text.

(120.) Ibid. In fact, as part of the study, when faced with a phone call for advice after a ransomware incident, several police departments "were unsure of their response or Googled how police should respond." Another group of law enforcement officials didn't even know what ransomware was. One agent went so far as to state that "ransomware is not a law enforcement issue." I WOULD GO.

(121.) Gideon Parchomovsky & Peter Siegelman, The Paradox of Insurance, FAC SCHOLARSHIP AT PENN CAREY L. l, 5 (2020), https://scholarshiplaw.upenn.edu/cgi/viewcontent.cgi?article=3160&context= teacher_scholarship [https://perma.cc/C9V5-L92P] (accessed August 16, 2022).

(122.) Richard J. Aldrich and Lewis Herrington, Secrets, Hostages and Ransom: British Kidnapping Policy in Historical Perspective, 44(4) REV. IN T. DO. 738, 756 (2018).

(123.) See ibid.

(124.) See Richard Byrne Reilly, Born in the NSA!, VENTURE BEAT (May 1, 2014), https://venturebeat.com/2014/05/01/born-in-the-nsa-former-spies - are -starting-companies-all-over/ [https://perma.cc/YH3D-BNAG] (archived August 16, 2022) (quoting a former NSA employee who suggested that between "40 to 50 per 100 of US IT security startups are founded by former NSA employees").

(125.) Siehe Tracy Wilkinson, Biden's 'little foray' comment hampers diplomatic efforts to stop Russian invasion of Ukraine, L.A. TIMES (January 20, 2022), https://www.latimes.com/politics/story/2022-01-20/bidens-minor-incursion-comment-roils-diplomatic-eforts-to-stopp-russian-invasion - of-ukraine [https://perma.cc/C2H6-JTZN] (archived August 16, 2022).

(126.) AG. Resolution 3.314 (XXIX), Definition of aggression, art. 5(2) (December 14, 1974).

(127.) Ibid. Art. 5(3).

(128.) Ibid. Art. 5(1).

(129.) See NANCY DOUGLAS JOYNER, AIR HIKING AS AN INTERNATIONAL CRIME 263 (1974); see also Evan F. Horsley, State Sponsored Ransomware Through the Lens of Maritime Piracy, 47 GA. J.INT'L AND COMP. L. 669, 681 (2019) ("In many ways, ransomware attacks are to the Internet what pirates have traditionally been to the seas... The world as a whole has a wealth of experience dealing with maritime piracy Understanding those millennia of the pillaging of the seas, which it has given us both in terms of our more traditional understanding and in terms of our modern approach, should guide us as we begin to grapple with the domain of cyberspace.") HANDLER, SCHROEDER & HERR, supra footnote 67, at 10 (“Ransomware is not a new phenomenon. As with hijacking, addressing the root causes of ransomware requires a multipronged approach that combines active and passive measures to block the creation of value on the part of criminal groups and denying the groups their safe havens".).

(130.) See v. Yunis, 924 F.2d 1086, 1091 (D.C. Cir. 1991) (citing FOREIGN RELATIONS (THIRD) REFORMULATION. L. DOS USA [section][section] 404, 423 (AM. L. INST. 1987)) ("According to According to the universal principle, States may 'criminalize certain crimes recognized by the international community as being of universal interest, such as piracy, the slave trade, aircraft hijacking or attacks, genocide, war crimes and perhaps certain acts of terrorism, even if they exist there is no particular connection between the state and crime").

(131.) JOYNER, supra footnote 129, at 266.

(132.) See, p. B.S.K. AGRAWALA, WALKING AND INTERNATIONAL LAW 73-74 (1973); JOYNER, supra note 129.

(133.) Siehe allgemein z. B. DOUGLAS R. BURGESS, RESCUE WORLD: PIRACY IS TERRORISM, TERRORISM IS PIRACY (2010).

(134.) See generally, p. B. THE LINK BETWEEN ORGANIZED CRIME AND TERRORISM: TYPES AND RESPONSES (Letizia Paoli et al. eds., 2022).

(135.) See generally AGRAWALA, footnote 132, pp. 73-74; JOHN F. MURPHY, PUNISHMENT OF INTERNATIONAL TERRORISTS: THE LEGAL FRAMEWORK FOR POLICY INITIATIVES (1985).

(136.) See AGRAWALA, note 132, p. 74 (“[Kidnapping] constitutes a crime against humanity, as such kidnappers are enemies of humanity, Hostis humani generis. This crime constitutes an offense against a more humane and universal legal value that characterizes the crime, juris gentium, for above any private interest. And the fundamental characteristic of all crime, juris gentium, is compulsory punishment by all States, wherever the crime is committed").

(137.) See ibid. at 73

(138.) JOYNER, supra footnote 129, at 264.

(139.) See G.A. Resolution 74/247 (12/27/2019).

(140.) See G.A. Resolution 75/282 (May 26, 2021). According to this resolution, the draft convention must take into account existing international instruments and efforts at the national, regional and international levels to combat the use of information and communication technologies for criminal purposes. This includes the work and conclusions of the Standing Group of Intergovernmental Experts to Conduct a Comprehensive Study on Cybercrime. See identification.

(141.) See Katitza Rodríguez and George Wong, United Nations Charter to include human rights safeguards in the proposed cybercrime treaty, ELEC. LIMIT FOUND. (02/27/2022), https://www.eff.org/deeplinks/2022/02/letter-united-nations-include-human-rights-safeguards-proposed-cybercrime-treaty [https://perma. cc/S9LS-E8XM] (archived August 24, 2022).

(142.) EUR. DATA PRIVACY OFFICER, OPINION 9/2022 ON THE RECOMMENDATION OF A COUNCIL DECISION AUTHORIZING THE NEGOTIATION OF A COMPREHENSIVE INTERNATIONAL CONVENTION TO COMBAT THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGIES FOR DELICIOUS PURPOSES [paragraph] 12 (18 of May 2022), https://edps .europa.eu/systern/files/2022-05/2022-05-18-opinion_on_international_convention_en.pdf [https://perma.cc/6ZZE-8MMZ] (archived 2 May September 2022).

(143.) Jeff Burt, UN considers Russia's proposed cybercrime treaty, THE REG. (March 7, 2022), https://www.theregister.com/2022/03/07/russia-un-cybercrime-treaty/ [https://perma.cc/C8VB-M3UZ] (archived March 24, 2022). March 2022) August 2022) (quoting Mercedes Page, founder and CEO of Young Australians in International Affairs).

(144.) International Convention Against the Taking of Hostages, December 17, 1979, 1316 U.N.T.S. 205; Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation, March 10, 1988, 1678 U.N.T.S. 222; International Convention for the Suppression of Terrorist Attacks, December 15, 1997, 2149 U.N.T.S. 256; International Convention for the Suppression of the Financing of Terrorism, December 9, 1999, 2178 U.N.T.S. 197; United Nations Convention Against Transnational Organized Crime, November 15, 2000, 2225 U.N.T.S. 209; Convention for the Suppression of Unlawful Acts in Relation to International Civil Aviation, September 10, 2010, 50 I.L.M. 141; Additional Protocol to the Convention to Combat Unfair Seizure of Aircraft, INT'L MARITIME ORG. (October 14, 2005), https://www.imo.org/en/About/Conventions/Pages/SUA-Treaties.aspx [https://perma.cc/2Y95-VPZT] (archived August 24, 2005). of 2022) .

(145.) SEE MICHAEL HEAD, CRIMES AGAINST THE GOVERNMENT: FROM TREASON TO TERRORISM 275 (2011).

(146.) International Convention against the Taking of Hostages, note 144, art. 1. In the framework of the future legal situation, liberal users of the law will certainly have the opportunity to consider whether the collection of data with characteristics similar to those of the person's own detention should be considered. Finally, some argue that our digital selves are now an extension of our physical selves. See, for example, B. Russell W. Belk, Extended Self in a Digital World, 40(3) J. CONSUMER RSCH. 477 (2013).

(147.) JOSEPH LAMBERT, TERRORISM AND THE HOSTAGE IN INTERNATIONAL LAW: A COMMENTARY ON THE HOSTAGE CONVENTION 80 (1990).

(148.) Ibid. at 81

(149.) Siehe William Ralston, The Untold Story of a Cyberattack, A Hospital and A Dying Woman, WIRED (11 November 2020), https://www.wired.co.uk/article/ransomware-hospital-death - Germany [https://perma.cc/F3ZX-CEDN] (archived August 24, 2022); Kevin Collier, baby died due to ransomware attack at hospital, says Suit, NBC NEWS (Sept. 30, 2021), https://www.nbcnews.com/news/baby-died-due-ransomware-attack- hospital-suit-claims-rcna2465 [https://perma.cc/J9R2-KV83] (archived August 24, 2022).

(150.) See Sean Michael Kerner, Colonial Pipeline hack explained: Everything you need to know, TECHTARGET (April 26, 2022), https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explicated - Everything you need to know [https://perma.cc/7WEB-ZJ82] (archived August 24, 2022).

(151.) Prosecutor v. Ayyash, STL-11-01/1, Provisional Resolution on Applicable Law: Terrorism, Conspiracy, Homicide, Crime, Cumulative Charges, [paragraph] 85 (February 16, 2011). It should be noted that there is a heated debate "to this day" as to whether the definition of the crime of terrorism has reached an agreed definition, despite Ayyash's decision. See Coman Kenny, Prosecuting Crimes of International Concern: Islamic State at the ICC?, 33 UTRECHT J. INT'L & EUR. L. 120, 131 (2017).

(152.) United Nations Convention against Transnational Organized Crime, footnote 144, art.2(a).

(153.) Siehe allgemein Arindrajit Basu, Irene Poetranto, and Justin Lau, The UN fights to advance cybersecurity, CARNEGIE ENDOWMENT FOR INT'L PEACE (May 19, 2021), https://carnegieendowment.org/2021 /05/19/un-struggles-to-make-progress-on-secure-cyberspace-pub-84491 [https://perma.cc/K564-D8WA] (archived August 24, 2022).

(154.) See CHRISTOPHER J. D'URSO, NOWHERE TO HIDE: INVESTIGATION THE USE OF UNILATERAL ALTERNATIVES TO EXTRADITION IN THE UNITED STATES PROSECUTIONS OF TRANSNATIONAL CYBERCRIME 285 (2021) (unpublished thesis, University of Oxford) (on file with the author) (Suggesting that "cybercrime is unlikely to take steps toward cooperation, as has been the case with terrorism and drug trafficking. With these crimes, host countries have recognized the significant internal damage that illegal behavior has caused and often willing to help extradite However, cybercriminals know better than to attack their fellow citizens as they do little or no harm domestically, which is why some states have chosen to encourage this behavior rather than combat it.

(155.) See generally Alex Geisinger and Michael Ashley Stein, A Theory of Expressive International Law, 60 VAND. L.REV. 77 (2007) (discussing the literature on the role of normative pressure in influencing rational actors to change their behavior).

(156.) Veja Allgemein Martha Finnemore & Duncan B. Hollis, Beyond Naming and Shaming: Accusations and International Cybersecurity Law, EUR 31(3). J.INT'LL. 969 (2020).

(157.) Ibid. in 989.

(158.) See ibid. in 992.

(159.) Ibid. in 993.

(160.) Parts of this section echo the analysis I have argued elsewhere in Lubin, supra note 99.

(161.) See above, notes 99-111 and accompanying text.

(162.) See CEDRIC RYNGAERT, JURISDICTION IN INTERNATIONAL LAW 190 (2nd ed. 2015).

(163.) Siehe Frank Bajak, How the Kremlin Provides a Safe Harbor for Ransomware, ASSOCIATED PRESS (16 de abril de 2021), https://apnews.com/article/business-technology-general-news-government-and- Politicsc9dab7eb3841be45dff2d93ed3102999 [https://perma.cc/74C4-5DRF] (archivado el 24 de agosto de 2022).

(164.) D'Urso argues that unilateral investigations and enforcement actions against cybercrime "stop here." However, he focuses his analysis on the effectiveness and availability of decoy operations. These are covert operations that aim to encourage cybercriminals to leave their country of residence (host country) under false pretenses to carry out arrests and trials. Finally, he develops an interesting framework for the responsible and prudent use of this type of decoy operation in cybercrime cases. See D'URSO, footnote 154, pp. 218-80. While such operations can be fruitful in the fight against ransomware, the information needed to find and identify ransomware gang members (as well as disrupt their operations in real time) will depend on cyber investigative methods. To employ such means, States must continue to respond to any challenges arising from enforcing the prohibition on extraterritorial execution in cyberspace. As such, the analysis offered in this article remains relevant even in the context of D'Urso's proposal.

(165.) JODY R. WESTBY, INTERNATIONAL GUIDE TO FIGHTING CYBERCRIME 62 (2003).

(166.) See PETER CLYNE, AN ANATOMY OF SKYJACKING 138 (1973) (noting that "[i]n only recently has self-help been seen to be inadequate to the needs of a modern state, and that the problem of maintaining order public and law enforcement have been accepted as national responsibilities").

(167.) Charles F. Butler, The Path to International Legislation Against Hijacking, en AERIAL PIRACY AND INTERNATIONAL LEW 27, 34 (Edward McWhinney ed., 1971).

(168.) Michael Pourcelet, Hijacking: The Limitations of the International Tratado Approach, em AERIAL PIRACY AND INTERNATIONAL LEW 55, 58 (Edward McWhinney ed., 1971).

(169.) See ibid.

(170.) CLYNE, supra note 166, at 177.

(171.) Ebd.

(172.) See CLYNE, footnote 166, pp. 181-82. Clyne also demonstrates how new coalitions were formed to demand the implementation of these new precautions. I WOULD GO. at 174 (discussing the role of the British Airline Pilots Association in leading the introduction of security measures at Heathrow Airport).

(173.) See generally HANDLER, SCHROEDER & HERR, supra footnote 67.

(174.) See ibid. in 5

(175.) A similar process took place in the United Kingdom in relation to kidnapping and terrorism insurance. See Asaf Lubin, Public Policy and the Insurability of CyberRisk, 5 J.L. and ECT. TEXT 45, 97-98 (2021).

(176.) See, for example, Cheryl Winokur Munk, Buying Cyber Insurance Gets Harder as Attacks Proliferate and Costs Rise, WALL ST. J (August 8, 2022) https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000 [https://perma. cc/5LED-LF3N] (archived October 10, 2022); Kane Wells, Cyber Insurance Study Suggests Businesses Don't Have Ransomware Insurance, REINSURANCE NEWS (August 22, 2022), https://www.reinsurancene.ws/cyber-insurance-study-suggests-businesses- lack-ransomware - safe / [https://perma.cc/B53B-FUGJ] (archived October 10, 2022).

(177.) SEE STEFAN SOESANTO, ELCANO REAL INST., CYBERTERRORISM. WHY IT EXISTS, WHY IT DOESN'T EXIST AND WHY IT WILL BE 7 (2020), https://media.realinstitutoelcano.org/wp-content/uploads/2021/11/ari47-2020-soesanto-cyber-terrorism-why-it -exists-why-it-doesnt-and-why-it-will.pdf [https://perma.cc/V6SK-26T9] (archived August 24, 2022).

(178.) See AGRAWALA, footnote 132, page 138.

(179.) Ebd.

(180.) BURGESS, supra footnote 133, at 22.

(181.) Christopher Bing, Exclusive: US to give ransomware attacks similar priority to terrorism, REUTERS (June 4, 2021), https://www.reuters.com/technology/exclusive- us-give-ransomware-hacks-similar-priority-terrorism-official-says-2021-06-03/ [https://perma.cc/R4D6-FAXY] (archived August 24, 2022).

(Video) Ransomware In 6 Minutes | What Is Ransomware And How It Works? | Ransomware Explained | Simplilearn

COPYRIGHT 2022 Vanderbilt University, School of Law
No part of this article may be reproduced without the express written permission of the copyright owner.

Ransomware Law and Policy. (2023)

Videos

References