Lubin on The Law and Politics of Ransomware

Asaf Lubin (Indiana U Maurer School of Law; Berkman Klein; Yale ISP; Federmann Cybersecurity Center, Hebrew U Law) has posted “The Law and Politics of Ransomware” (Vanderbilt Journal of Transnational Law, Vol. 55, 2022) on SSRN. Here is the abstract:

What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly 4,000 ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, “attacks leveled out at 20,000 to 30,000 per day in the US alone.” That is a ransomware attack every 11 seconds, each of which cost victims on average 19 days of network downtime and a payout of over $230,000. In 2021, global costs associated with ransomware recovery exceeded $20 billion.

This Article offers an account of the regulatory challenges associated with ransomware prevention. Situated within the broader literature on underenforcement, the Article explores the core causes for the limited criminalization, prosecution, and international cooperation that have exacerbated this wicked cybersecurity problem. In particular, the Article examines the resource allocation, forensic, managerial, jurisdictional, and informational challenges that have plagued the fight against digital extortions in the global commons.

To address these challenges the Article makes the case for the international criminalization of ransomware. Relying on existing international regimes––namely, the 1979 Hostage Taking Convention, the 2000 Convention Against Transnational Crime, and the customary prohibition against the harboring of terrorists––the Article makes the claim that most ransomware attacks are already criminalized under existing international law. In fact, the Article draws on historical analysis to portray the criminalization of ransomware as a “fourth generation” in the outlawry of Hostis Humani Generis (enemies of mankind).

The Article demonstrates the various opportunities that could arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The Article focuses on three immediate consequences that could arise from such international criminalization: (1) Expanding policies for naming and shaming harboring states; (2) Authorizing extraterritorial cyber enforcement and prosecution; and (3) Advancing strategies for strengthening cybersecurity at home.