A woman writhes on a gurney in the back of an ambulance racing to get treatment for her aortic aneurysm. The paramedics radio to the closest hospital to announce their impending arrival. But they’re told the hospital is in the grips of a ransomware attack, critical systems are offline, and they can’t accept new patients. The heart patient would have to go elsewhere. That meant an hour-long drive to the next comparable facility. And by the time she was able to receive treatment, the woman died.
This isn’t hypothetical. This exact scenario happened in Germany in September 2020. And when it did, numerous voices in the cybersecurity community (mine included) called it the first death to be directly caused by a cyber attack. Ransomware disabled the hospital. And if the woman had been able to receive treatment sooner, she likely would have survived her cardiac episode. Responsibility for her death seemed to fall squarely on the shoulders of the hackers behind the ransomware attack.
German prosecutors agreed. They saw in the attack an open and shut case of negligent homicide. But, under German law, in order for someone to be convicted of that crime, prosecutors needed to establish legal causation between the actions of the defendant and the resulting death. And that’s where things got tricky.
Cyber Attacks as Criminal Acts
The Computer Fraud and Abuse Act was enacted in the US in 1986 and represented the first major effort to prevent hacks through criminal law. Many other countries adopted similar laws – some later than others – but all realized early on that cybercrime needed (but lacked) an appropriate legal apparatus.
Cybercrime laws around the world have evolved and matured significantly since then. GDPR in Europe drastically raised the bar for data protection and privacy while leveling severe penalties for any infraction. California adopted a similar law, as have other US states, and the recent Strengthening American Cybersecurity Act of 2022 established sweeping cybersecurity requirements for all federal offices and many of the vendors they work with. Never has “cyber” legislation been as expansive as now, and all signs suggest this regulatory framework will only expand further.
One area where it remains immature, however, is in regard to prosecuting offenders for the damage caused by cyber attacks. Most laws measures damage (and thus assign penalties), based on the number of records stolen or the amount of downtime caused. But the law stops there. Most downstream effects of the attack are considered irrelevant.
Which makes sense. For most of history, cyber attacks have been seen as IT issues first and foremost. And while they could certainly cause plenty of damage and disruption, it was seen as confined to the digital realm. Rarely did attacks spill over into the physical world, so there was no reason to contextualize those attacks within existing criminal law.
But that’s changing fast. One example is the attack on the Colonial Pipeline in May 2021. A ransomware attack disabled one of the largest oil pipelines on the Eastern Seaboard, resulting in fuel shortages, panic buying at the pump, and changes to flight schedules due to lack of fuel. President Biden declared a State of Emergency as a result. And while the attack thankfully left no one dead or injured, it nonetheless highlights how cyber attacks can directly affect people’s health and safety. Ransomware directed at hospitals, schools, and police departments has a similar effect. And as we see hackers become increasingly emboldened and unscrupulous, future attacks won’t just disrupt data or apps – they will ruin lives.
Learning From the German Example
It’s telling what ultimately happened in Germany. After a two-month investigation, prosecutors concluded that they couldn’t meet the standard of proof necessary to link the woman’s death with the ransomware attack definitively. Prosecutors needed to show that had the ransomware attack never occurred, the woman would have lived. But after consulting with medical professionals, it was believed the woman would have died no matter where or when she received treatment. So while the ransomware attack made a bad situation worse, the heart condition, not the attack, caused the death.
Lacking any expertise in German criminal law, it seems to me that prosecutors got it right in this case. Nonetheless, it’s impossible to hear this anecdote and not think about a slightly different variation: where medical devices get disabled by ransomware, and patients dependent on those devices die. Unfortunately, it’s only a matter of time before this scenario (or countless similar alternatives) happens. And when it does, will the law be able to prosecute those behind the attack for those deaths? Or will hackers skate by on a lesser charge, signaling to others that devastating attacks don’t come with devastating consequences for the perpetrators?
Time will tell. Until then, however, I hope we draw a lesson from what happened in Germany and start thinking more about cyber attacks as attacks on people, not just IT.
#cybersecurity #ransomware #law #cybercrime #Germany #hospital
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.