At What Point are Ransomware Attacks an Act of War?

By Morgan VanderLeest

August 19, 2022

Image: Kaspersky

As the realm of cyber continues to grow, so do vulnerabilities in everything including businesses and infrastructures. This creates more opportunities for hackers to attack a system. One type of attack that is increasing in volume is ransomware – a type of malware that encrypts users’ data and demands a ransom payment in cryptocurrency. Part of this increase in these types of attacks is seen in the United States critical infrastructure. According to Christopher Wray, Director of the Federal Bureau of Investigation (FBI), “in 2021, we saw ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors …” which includes healthcare, oil and gas pipelines, schools, government, etc. [1]. The businesses and resources we depend on are being attacked, which raises the question of at what point does a ransomware attack against critical infrastructure constitute as an act of war? 

Acts of war are often difficult to define, and the United States has yet to draw a definitive line when it comes to cyber. In 2016, the Senate Armed Services Committee held a hearing on Cybersecurity, Encryption, and United States National Security Matters which was able to provide some answers regarding cyberwar. Then-Under Secretary of Defense for Intelligence Marcell Lettre started by stating that a decision will be made on a “case-by-case” basis by the President. He then went on to say, “Specifically, cyber attacks that proximately result in significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an ‘act of war’” [2]. But this leaves looseness between an unlawful attack to an act of war. Additionally, it does not state what type of attacks are more likely to be acts of war. Since there is not a clear picture, it is difficult to determine where ransomware would be placed.

The main goal of ransomware is not to cause destruction, rather it is meant as a way for attackers to gain cryptocurrency and data. Ransomware can be more than just encrypting data; it may also contain a threat to release the data if the ransom is not paid. Not only are victims trying to gain a key to get access to their data again, but they are also trying to prevent leaks from happening. Even if the ransom is paid, there is no guarantee that the key to encrypt the data will work or the data will not be released. Despite ransomware not being destructive in a literal sense in most cases, it can be just as damaging. This makes it harder to determine the classification of an attack since physical destruction is not seen right away or at all, potentially.

In 2021, there were two major ransomware attacks on critical infrastructure damaging to the United States and illustrative of the potential for destruction with these types of attacks. Where would these attacks land along the spectrum of unlawful attacks and acts of war? A key aspect to attempting to answer this question is whether a nation-state is behind the attack. The same thought process can be seen when addressing physical war. If a group or organization, like Al Qaeda, was behind the attack, how does that impact the classification of the act? There is an argument that “using force against non-state actors such as terrorist organizations does not amount to war …,” so hacking groups likely fall within in the area of organizations that do not constitute as acts of war [3]. However, there is currently a war against terrorism that does include organizations, but that is specifically for terrorism and not a general rule on non-state actors. As of this point, there is not much guidance on hacking groups attacking the United States’ critical infrastructure. Thus, it is more likely that the attacks will not be seen as acts of war. However, answers to these key questions could assist in developing a way to determine if a cyber attack, specifically ransomware, is an act of war. There needs to be a thorough solution to gain a firm understanding of cyber attacks in general, which will not be the key focus of this article. Instead, this article will provide an opinion on determining if ransomware attacks are an act of war by addressing the two major attacks in 2021. 

On May 6, 2021, Colonial pipeline – a key gasoline supplier to the East Coast of the United States [4] – was attacked and forced to shut down for six days [5]. While it is a relatively short shut down, it caused panic buying among the population along with increasing gas prices. One small blip in the functioning of a critical infrastructure impacted the economy and civilian life. The FBI determined it was a hacking group called DarkSide that was behind the attack [6]. Even though it did not come directly from the Russian government, that doesn’t mean that they should be eliminated automatically. At times, governments will employ third-party actors to carry out the attack. In this case, it is very unlikely the Russian government was behind it since the United States was told that the Russian domestic intelligence agency arrested the hacker [7]. Since it appears that a nation-state is not behind the attack, it is likely to be labeled as an unlawful attack. 

Not even a month later, another major ransomware attack occurred against a different sector of the United States’ critical infrastructure. JBS, a meat processing company, was the victim of the attack. While JBS is a global company and based in Brazil, it processes 20% of the meat in the United States [8]. That share is crucial to the U.S. food and agricultural sector; plus, the attack was partially against computer servers on U.S. soil [9]. This attack did not impact restaurants and grocery stores since the company quickly started to implement back-up systems to get the process going again. However, there was the potential for a meat shortage in the country. During the time it took to get the servers back up and running, JBS was working with the FBI, which attributed the attack to REvil – a cybercriminal group based in Russia [10]. Once again, the actor was a group and not a nation-state so there is a very slim chance that the attack would lean towards being labeled as an act of war. 

In both instances, a non-state actor was responsible which means that the U.S. is less likely to see it as an act of war. However, part of determining if an attack is unlawful or an act of war is determining the damage that has caused. As mentioned above by Mr. Lettre, the damage to critical infrastructure and significant economic impact are two fields that are evaluated to determine the classification of an attack. Since both attacks were against critical infrastructure, the analysis of how much destruction was caused, or in the process of causing, should be conducted. While neither attack caused significant destruction in the end, there was the potential for them to do so. The U.S. started to see the negative impacts from the Colonial Pipeline even with it shut down only six days. How much longer could the east coast have lasted with it shut down before there was a crisis for fuel? With the same thought, how long would it take for grocery stores and restaurants to stop functioning at full capacity with a major meat processing company down? Luckily, there was no impact seen in the availability of meat, but how far away was the United States from feeling the effects of the attack? These are questions that need to be addressed in order to begin finding the line to determine an act of war. Not only do critical infrastructure questions need to be answered, but so do economic ones. What is considered a significant economic impact? The Colonial Pipeline attack did have a visible economic impact that Americans felt at the gas tanks. How high would prices have to go before people start to consider the severity of the act? While these questions are not the only ones that need to be addressed and answered in order to assist in classifying an attack, they can be a starting point for the United States government. Not only do adversaries need to know when they should expect an equal if not escalatory response, but Americans need to know that their government is protecting them.

Thus far, there has not been a point where a severe enough ransomware attack has happened for a serious consideration of war, nor has a clear threshold been established for unlawful acts and acts of war. In order to illustrate the severity of not knowing the threshold, let’s paint a picture of a significant ransomware attack. For context, the scene takes place during the middle of a drought and heatwave in western continental United States. At midnight, the water sector is hit with a ransomware attack targeting the filtration system. The systems must be shut down once the attack is detected in order to prevent more unfiltered water released. However, before the systems are cut off, unfiltered water is released causing people to fall ill. Once the source is shut down, other systems must fill the hole and provide water for the people. Not only are people falling ill, but other systems are being forced to the brink and having issues keeping up with the demand for water. It takes two weeks for the systems to be up and running at full capacity again. Due to illness and water scarcity during a heatwave and a drought, hundreds of people die. For more context, the attack came from a group in Russia and their motivation is financial, which is the typical motivation behind ransomware. Thus, the goal was not to cause destruction or death, but it was a side effect [11].  Since water is crucial to survival, the hackers figured that the victims are more inclined to pay the ransom and likely to pay it in full. 

Now let’s take this scenario and dissect it the same way as the Colonial Pipeline and JBS attack. It was a non-state actor behind the attack which typically would lend to the classification of an unlawful act over an act of war. However, the consequences are much greater. There was loss of life, damage to critical infrastructure, and economic impact. The first two fields are seen by the death due to illness or not having enough water during a time of drought and heat, and damage to critical infrastructure is from having to redo part of the operating system for the water systems. Furthermore, other sectors of the United States’ critical infrastructure are impacted. For example, healthcare on those lines will have less water which is crucial to have in hospitals, and the agricultural sector will suffer even more due to less water for irrigation that is the source of water in a drought. The economic impact comes from the price of bottled water or jugs of water rising due to the high demand for clean water, which means that those part of the lower socioeconomic class may not be able to afford enough water for their household. Now the question becomes is this significant enough of a repercussion from an attack to constitute as an act of war? 

In my opinion, this attack does at least require a retaliation in equal measure if not an escalatory response. While I do not have the power or enough knowledge to definitively state where this attack falls on the spectrum of unlawful attacks and acts of war, the effects of the attack were deadly. Not only is the United States compromised with part of its water sector down, but it has also lost hundreds of citizens.  At this point, it is a national security issue since it was an attack against a critical infrastructure, which means that it is crucial to the functioning of our nation. As a citizen, I would expect my government to respond in a way that proves we are not to be trifled with. While I do not know if it would constitute as an act of war since the motive was financial, I do not think that it is an attack that can be brushed to the side. With the loss of life and impact on daily living, I feel that this attack is significant enough to have crossed a threshold that has a classification stronger than an unlawful act. While the label of an act of war may be too harsh, I think there would need to be serious consideration for it and potentially seen as an act of violence.  

Defining what is an act of war is difficult, especially when applying it to a realm that is still considered new and that is growing faster than officials can keep up with. However, not providing a clear stance on cyber attacks allows for adversaries to have the upper hand. They are able to keep pushing their limits on the type of attacks and against whom since there is no guarantee that the United States will come out aggressively against them. If the United States does not start clearly defining their thresholds, they will continue to be pushed around and vulnerable to more serious attacks.

In order for the United States to start being a leading figure in the realm of cyber, they need to craft and introduce a policy of retaliating against cyber attacks. Furthermore, they need to answer some questions that can provide an outline for when an attack may need to be considered more closely if it is an act of war. In my opinion, there are many questions that would need definitive answers, but the following are a few that could begin the process of developing a guide to determine where an attack would likely land on the spectrum. Even if the motive is financial, how damaging or fatal does an attack have to be for it to warrant a more serious response? Can ransomware be seen as an act of war since the repercussions can be deadly? Since many cyber-attacks come from groups, does the thought of a nation-state being present need to shift in order to give legitimate consideration to groups, or organizations, as adversaries?

Once there is a clearer picture of where the United States stands on ransomware attacks on critical infrastructure as acts of war, there would follow another phase of discussions. How do we address the countries that allow hackers to stay within their borders without repercussion? At what point does the nation become an actor behind the attack and not just a safe place for hackers to live? How do we identify who is attacking us since ransomware hides in the anonymity of cryptocurrency? If it is a third party that is identified, how is it determined if a nation is using them to carry out their actions or strategy? What does it mean for a democracy, if they are paying adversaries millions of dollars to get their infrastructure going again? All of these questions are important and cannot be addressed here. More importantly, there needs to be a discussion about these questions so that the United States can withstand ransomware attacks and still preserve its democracy.  

References

[1]  Christopher Wray, “Director’s Remarks to the Boston Conference on Cyber Security 2022,” FBI, June 1, 2022,  https://www.fbi.gov/news/speeches/directors-remarks-to-boston-conference-on-cyber-security-2022 

[2]     Committee on Armed Services United States Senate, Cybersecurity, Encryption and United States National Security Matters, July 14; September 13, 2016, 114th Congress, 2nd Session, Washington D.C.: U.S. Government Publishing Office, 2017, 89, https://irp.fas.org/congress/2016_hr/cybersec.pdf 

[3] Michael D. Ramsey and Stephen I. Vladeck, “Declare War Clause,” National Constitution Convention, https://constitutioncenter.org/interactive-constitution/interpretation/article-i/clauses/753 (accessed July 25, 2022)

[4]     Zachary Cohen and Geneva Sands and Matt Egan, “What We Know About the Pipeline Ransomware Attack: How it Happened, who is Responsible and More,” CNN, May 10, 2021, https://www.cnn.com/2021/05/10/politics/colonial-ransomware-attack-explainer/index.html 

[5]    Gaurav Banga, “Critical Infrastructure Companies Must Address Cyber Threats More Efficiently,” CPO Magazine, June 15, 2022, https://www.cpomagazine.com/cyber-security/critical-infrastructure-companies-must-address-cyber-threats-more-efficiently/ 

[6]       Banga, “Critical Infrastructure Companies”

[7]    Sean Lyngaas, “US Officials Believe Russia Arrested Hacker Responsible for Colonial Pipeline Attack,” CNN, January 14, 2022, https://www.cnn.com/2022/01/14/politics/us-russia-colonial-pipeline-hack-arrest/index.html 

[8]  Greg Myre, “Meat Supplier JBS is the Latest Company Hit with Ransomware Attack,” NPR, June 2, 2021, https://www.npr.org/2021/06/02/1002368782/meat-supplier-jbs-is-the-lastest-company-hit-with-ransomware-attack 

[9]        Myre, “Meat Supplier JBS”

[10]      Sean, “US Officials Believe Russia”

[11]    Robert Walton, “Sophisticated Hackers could Crash the US Power Grid, but Money, not Sabotage, is Their Focus,” Utility Dive, October 28, 2021, https://www.utilitydive.com/news/sophisticated-hackers-could-crash-the-us-power-grid-but-money-not-sabotag/603764/ 

About the Author

Morgan VanderLeest is an undergraduate student at the University of Michigan majoring in computer science with a minor in political science. They did an internship at the Institute of World Politics where their focus was on cyber, with regard to ransomware.