International operations against groups accused of spreading ransomware for extortion purposes are multiplying. However, the way they are carried out resembles paramilitary actions more than police investigations. Is the law still the best tool to protect critical infrastructure? An analysis by Andrea Monti, professor of Digital Law in the Digital Marketing course at the University of Chieti-Pescara – Initially published in Italia by Formiche.net
Europol and the US Department of Justice jointly announced the results of an international operation that led to the arrest of members of a group of people accused of spreading ransomware (a virus that encrypts the contents of a mass storage device) for extortion purposes by demanding payments in cryptocurrency to give the victim the decryption key and prevent the data from being (publicly) released.
The news had already been circulating for a few weeks but has now been definitively confirmed.
We, therefore, learn that the subjects involved in the operation are several European countries (Italy is absent), Five Eyes (but without New Zealand), South Korea, the Philippines and Switzerland.
We also learned that the US qualified the ransomware attacks as a matter of national security, which allowed the Department of Justice to obtain the cooperation of the military and the intelligence services. At the same time, we are not sure whether the other countries did the same or limited themselves to carrying out ‘normal’ judicial investigation activities.
Finally, we learn of the presence of ‘private actors’ (formally, Microsoft, Bitdefender, and McAfee) that would have cooperated in the activities, although the details of this cooperation are not known, at least until the court documents are eventually (and if ever) released.
We also know that the critical element of the operation was the hack back – the computer counterattack – against the infrastructure used to spread and pilot the ransomware. The hack back caused the destruction of the data and programmes contained therein and the insertion of hidden commands in the backups to regain control of the virus management systems covertly. In this way, when the suspects restored the functionality of their systems to continue their criminal actions, they enabled institutional (or private?) operators to keep them under control and eventually identify and arrest them.
According to publicly available information, it is reasonable to assume that the USA committed the hacking action. The FBI was the first to claim to have come into possession of the keys to decrypt the files rendered unreadable by the ransomware.
The details of this operation are largely unknown, so we do not have complete information about what happened. What is certain, however, is that the involvement of the American military and national security authorities creates a technical-legal —and therefore political— a problem that is not easy to solve: the legitimacy of retaliation following an attack (cyber or otherwise, it does not matter) during a criminal investigation.
Notwithstanding national particularities, every Western jurisdiction sets a clear distinction between the activities of judicial investigation, which are subject to the control of the judiciary and do not permit the committing of crimes at home or abroad, those relative to national security which, within certain (extensive) margins, are the competence of the executive, and those military activities – which Parliament must authorise. In the first case, there is the possibility of carrying out undercover activities without participating in crimes. In the second, members of the secret services can also commit crimes, which in some jurisdictions include murder. In the third, there are rules of engagement that certainly provide for defence, even preventive defence, if not outright attack.
The freedom of manoeuvre that characterises the different operational areas matches the objectives pursued. Bringing someone to justice implies following the fair trial rules, while protecting national interests through the services and the military apparatus implies having fewer legal constraints, operating in a ‘free zone’ of responsibility.
Protecting national security can justify offensive actions even committed within the borders of another country (even recent public history is full of more or less clandestine actions ranging from the trespassing of armed soldiers into neighbouring countries to political murders). However, this approach cannot be applied to criminal investigations because it gathers evidence in substantial violation of the right of defence. No investigator would be allowed to commit criminal offences to gather evidence about the commission of a crime. Moreover, those who did so would not be able to use it in a trial besides – obviously – paying personally for such an action.
The theoretical analysis just described has, in purely formal terms, its intrinsic coherence. The confusion between the three spheres of operation of the institutional structures and the complexities of international cooperation, therefore, risk compromising the outcome of the trials, should those arrested be the perpetrators of the acts attributed to them. The reality of technological crimes, however, describes a different scenario.
Faced with rapid, pervasive, highly efficient and concretely damaging attacks, we should ask ourselves whether it makes sense to worry about ‘doing justice’ and thus arriving at a conviction according to the rules of the court, or whether, instead, what matters is ‘simply’ eliminating the threat, without worrying about legal abstruseness. It is pretty straightforward, at least concerning the US position, that this last option has become official policy, after the discussion of regulating ‘active cyber defence‘ by law at least since 2017. As the US official statements show, it is also evident that it is factually challenging to give the judiciary a conceptually prominent role in this type of operation.
HOW PUBLIC POLICIES ON THE SECURITY OF INFORMATION SYSTEMS COULD CHANGE
Abstracting from the specific case, we should take note of a very annoying yet inevitable conclusion, which has already emerged in other technological fields: the need to react in times similar to those in which criminals perform their illegal acts has deprived law and jurisdiction of the ability to play their role as regulators of social behaviour, including deviant behaviour.
The judiciary’s role loses relevance and gives way to an accentuation of the executive one and, therefore, to a radical change in public policy choices concerning the contrast of actions committed to the detriment of technological infrastructures and not only of critical ones. In other words, it should be discussed without any hypocrisy whether it is not time to consider specific actions no longer as crimes, but as attacks which, even if committed by non-institutional actors, should be managed with the rules of the international conflict (even if not declared). On the other hand, it is no coincidence that last July, President Biden “warned” his Russian counterpart, Vladimir Putin, that the US would do what was necessary to stop the ransomware attacks. It shows how reductive it is to think that operations like the one we are talking about are only of judicial relevance. They allow all the institutional actors – in the West and in the East – to manage low intensity (perceived) conflicts without having to face each other in the open field. The judicial power becomes but an ancillary instrument of political pressure when the level of conflict exceeds a “tolerable” threshold, according to an approach already practised in the cases of expulsions of “persona non grata” to this or that Country.
THE ITALIAN TECHNOLOGICAL CROSSROADS
After years of inertia, and albeit with more than a few technical-legal blunders, since September 2019, Italy went full steam. It built a regulatory system for the security of national infrastructures. It set the national perimeter of cyber security, it widened the cases in which to exercise the golden power, it created a national agency for cybersecurity. However, some hard to ignore technological and industrial issues remain on the table that can no longer.
The first is whether we can still allow the software industry to continue to enjoy substantial impunity for placing products that have not been adequately tested in terms of security since it is impossible to think of the Italian Cybersecurity Agency taking the place of the producers.
The second question is whether we can still consider acceptable the business models of services based on the centralised management of functionalities (managed services) that allow a single entity to control from the outside the entire network and the individual computers of an institution or a company. One case documented in the investigations discussed in this article showed that the tampering of a single piece of software used by managed service providers caused the infection to spread to a final number of between 800 and 1500 victims.
The third and final issue concerns the Italian national cloud.
Other European countries, such as Germany, have opted to use EU Electronic Communication Services providers that only adopt open source technologies, similar to France, the Netherlands, and Sweden. It will allow them to meet strict standards of transparency and security. On the other hand, Italy is choosing different paths. This choice, at least from the point of view of technological sovereignty, makes the route challenging.
The international operation that led to the destruction of a ransomware-based extortion network and the arrest of several people suspected of being part of the criminal group that ran it showed that the result would not have been possible without the adoption of methods more typical of clandestine and military operations than of judicial investigations.
This consideration raises the question of the legal instrument’s actual efficacy to counter attacks that, due to their nature, must be annulled as soon as possible, also with reprisal actions. It is impossible to allow them to continue for as long as it takes to conclude a judicial process, even if only in the first instance.
The response of the US legal system has been to change the legal status of ransomware attacks into a matter of national security. It has allowed the adoption of methods and resources that the judiciary could not have used. However, it will be essential to see how courts will handle, in practice, the contradictions of evidence collected using methods incompatible with the fair trial rules. It will also be interesting to see how institutional actions (with the support of private operators) of hack back can be legally justified. Finally, it will now be essential to see whether a similar debate will open at the EU level.
Finally, the ransomware attacks have highlighted that fundamental choices for the Italian national cloud cannot be postponed, with particular reference to the preservation of technological sovereignty through the use of open source technologies, as the other Member States have already decided to do.