Ransomware and Cyberterrorism – Is it legal to pay to unlock your computer?
The IT world is reeling from what is described as an unprecedented cyber-attack which has manifested itself in the form of a denial of access “ransomware” locking computers and threatening to delete data if the demand for a payment of US$300 in bitcoins is not paid. It is said to have affected 200,000 computers in 150 countries. As at the time of writing about US$40,000 has been thought to have been paid and there is no real idea as to who is behind the attack.
The “Wcry” ransomware uses a weapons-grade exploit published by the NSA-leaking group calling themselves the Shadow Brokers.
What has not been given much thought, is the legal framework which governs the payment of such demands and the point at which you can cross the line and fall foul of the legislation banning the funding of terrorists. It is the same question that faces those of us that deal with the payment of one off ransoms to free kidnap victims from pirates on the high seas. It is probably not something that normally would trouble the heads of NHS Trusts.
The law on this is clear and the UK government is out on its own in the uncompromising stance it takes about paying ransoms to terrorists. Further, the advice being given publicly in respect to the recent attack is that the demand shouldn’t be paid and there is an IT work-around. As I have mentioned above, some people may need to pay out of necessity not least because the price goes up after a number of days. Indeed, there is at least one public example of a US hospital paying US$17,000 in the face of a similar albeit more directed ransomware threat.
Paying a ransom to criminal interests is not contrary to English law and that is well established. However, paying terrorists anyway is illegal. The relevant law is found at S. 17 of the Terrorism Act 2000.
A person commits an offence if-
(a) He enters into or becomes concerned in an arrangement as a result of which money or other property is made available or is to be made available to another, and
(b) He knows or has reasonable cause to suspect that it will or may be used for the purposes of terrorism.
An additional provision makes it illegal for insurers to indemnify an assured where they too have a reasonable belief that funds have been paid to terrorists. For these purposes if bitcoins are not “money” then they are certainly “property”.
The FBI define cyber-terrorism as:
…premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents.
Whether a person is acting as a terrorist is a question of intent. A person committing an act of violence motivated by religion, politics and ideology is likely to have committed a terrorist act.
There have been documented cyber-attacks against the NHS system in February 2017 which appeared to be by ISIS and in particular, by the “Tunisian Fallaga Team” which posted graphics and pictures aimed at the war in Syria. This then was an act by a terrorist organization. This attack may not itself have been an attack that resulted in “violence”. However, it seems likely that a wholesale attack on the NHS system which results in a denial of access leading to cancelled operations and distress and undermines confidence of the public is an act of “violence” as defined above.
However, the issue here is whether the attack and demand is motivated by something other than greed. For the time being, the experts are suggesting this is a criminal attack and that the coding is not so sophisticated to implicate a state or other actor (although that has not stopped Russia throw brick bats at the US). During the height of the Somali piracy crisis a similar debate raged as to whether funds were actually being paid to terrorists thereby rendering the payments illegal.
We always used to say that if the might of the combined intelligence agencies cannot find out who is behind the attacks then we are unlikely to be able to do so. That gives grounds for arguing that it is reasonable to believe that those behind the attacks are motivated only by money. It maybe that this explains the careful language of government ministers to frame the ongoing events as “cyber-attacks” and not “cyber-terrorism”. If that changes, and the general and reasonable belief as to who is behind this shifts, then the option for those affected to pay may suddenly be removed.
On balance, we are not there yet.