This article was first published on Law360
On Oct. 21, 2016, millions of Americans suddenly lost access to websites like Twitter, Netflix and Spotify. It was that rare kind of cyber-attack that could both hit close to home and yet still feel fairly low stakes. Specifically, the disruption came in the form of a “Distributed Denial of Service” (“DDoS”) attack, whereby hackers commanded an army of internet-enabled CCTV cameras to overload online servers with fake traffic. The unlucky target of this “botnet” was Dyn Inc., a DNS company that offers critical support for many popular websites.
As motives emerge, this attack at least emphasizes how cybercriminals can often act with little or no consequences. Prevention is therefore a preferred mode, even as retaliation against state sponsors becomes a hot topic. There are indications that coordination in this area may soon become a regulatory mandate, as well as a condition of insurance against data breaches. Alternatively, there is also a surprising trend toward the appeasement of hackers through ransoms. Like many aspects of cybersecurity law, the legal treatment of this last option could benefit from clarity.
Regulators Shift to Cybersecurity Requirements
Facing likely targets (i.e., large banks), regulators are actively drafting rules that could standardize and mandate minimum cybersecurity standards in the financial sector. This marks a departure from more sporadic, voluntary efforts toward a mandatory regime with common standards. It could also shift momentum for other regulators to adopt similar rules.
Just last month, New York became the first state to propose regulations that would require financial services companies to implement cybersecurity programs. The federal government also appears to favor this approach. On Oct. 12, the three federal banking regulatory agencies approved an advanced notice of proposed rulemaking that would require certain financial institutions to develop enhanced cybersecurity capabilities — such as a two-hour recovery time from cyberattacks — and to engage in active analysis of the threat they pose to other firms in the event of “cyber contagion.”
If fully implemented, these requirements will spell heavy costs in compliance for covered entities. Certainly, if a mandatory regime is truly the way forward, reducing the complexity, overlap and burden of these rules will be welcomed by the regulated entities.
This is not to say that voluntary incentives are completely off the table. Congress is considering a bill that would give a tax credit toward the purchase of data breach insurance and participation in a cybersecurity program. There simply appears to be growing interest in inoculating interconnected systems (in some ways, to help along a sort of bank-to-bank “herd immunity” against malware and other pernicious tactics). As last Friday demonstrated, unsecured devices may become instantly weaponized to take down entire networks. Similarly, the federal agencies view “financial sector-wide resilience” as a solution for individual banks, with à la carte security efforts coming up short so far.
The Legal Risks of Investing in Ransoms as Failsafe
But what if these systemic measures fail? Losing valuable customer information, IP or trade secrets can cut a business off at the knees. Therefore, mere knowledge that an attack may be contained or soon rendered ineffective does not remedy some of the worst dangers of cybercrime. Perhaps with this in mind, many British banks are currently hedging against cybersecurity failures by hoarding bitcoins1 into contingency funds to pay off criminals that threaten their networks and steal data.
This “cyber extortion” is an estimated billion-dollar enterprise, and hackers typically price their threats below the cost of prevention (by design). For example, last February, Hollywood Presbyterian Medical Center was effectively disabled by a cyberattack and forced to pay 40 bitcoins (worth approximately $17,000) for relief. Overall, the FBI has estimated that these crimes have cost victims around $209 million in the first quarter of 2016.
Serious discussion could be given to a free-rider problem created here,2 as well as to whether such contingency funds are now just another cost of doing business in a data-driven economy.
Without touching these policy points, American banks might simply ask: Are these ransoms legally prohibited?
Frankly, this is unclear at the moment. Law enforcement agencies such as the FBI have tolerated these transactions and given mixed signals in the past — with one official even quoted as saying, “To be honest, we often advise people just to pay the ransom,” while more recently, the FBI has discouraged them.
Even without specific legislation or regulations addressing cyber-extortion payments, a few legal considerations loom large and could use guidance.
For example, if a cyberattack came from a foreign terrorist organization (“FTO”), payments could possibly be prohibited as material support under 18 U.S.C. § 2339B. However, because the provision requires knowledge that the payee is a designated FTO, ransoms given to anonymous hackers may not trigger liability. Similarly, U.S. economic sanctions could be a source of trouble for banks that pay ransoms to state-sponsored cybercriminals. In 2015, the DOJ forced BNP Paribas to forfeit $8.8 billion and pay a $140 million fine for violating the International Emergency Economic Powers Act and Trading with the Enemy Act when it processed payments on behalf of Sudanese, Iranian and Cuban entities. One can imagine the specter of similar liability arising where highly organized (and therefore occasionally state-sponsored) attacks are directed toward large banks.
This brief article hopefully at least gives a sense of some of the legal vagaries surrounding cyber-extortion and ransom payments.3
As large banks and other targets are tasked to develop sophisticated cybersecurity programs, the temptation to simply pay off hackers should diminish as cyberattacks are rebuffed and free-riders take the backseat. However, the significant risk that despite all these efforts, hackers will still find new and ingenious ways to compromise entire systems, much less individuals, also seems a fair assumption. It may be rational or at least tolerable for banks to indulge this pessimism and build up funds for ransom payments — all the better for regulators to clarify the legal risks here, ramp up retaliation efforts, or share more in the costs associated with mandatory cybersecurity.
Cybercrime is notoriously difficult to peg down. With the internet as the field of play, attacks often transcend jurisdictions, time zones and legal definition. Proactive regulations that require cybersecurity programs and standards may indeed go far in deterring and managing these risks. Their burden on affected companies also cannot be underestimated. Further, contingency funds should not be ignored as more companies plan around their security shortcomings and fear of collapse. Resolving the tension between those competing strategies of prevention, retaliation and appeasement should certainly challenge lawmakers and enforcers. For now, banks and other likely targets should monitor these recent regulatory developments, as well as consider the understated legal risk of paying ransoms to international cybercriminals.