The Hacking of Things: International Law’s Modern Challenge
By: Lauren Kelly-Jones
In December, in a fully-booked luxury hotel in the Austrian Alps, guests went to their doors and couldn’t open them. Something was wrong. In the middle of winter, beside the cold Turracher lake the computers went dark.
It was the first weekend of ski season, and the entire door-key system of Romantik Seehotel Jägerwirt ( a 111-year-old hotel) had been taken down. Hackers demanded that the hotel hand over €1,500 (around $1,600, payable in bitcoin) to restore their systems. Because management felt as though they had no choice, they did so. Then – systems back up, doors unlocked – they went public, to warn others of the dangers of this kind of cybercrime: a modern twist on criminal blackmail.
“Ransomware” is in itself not a new concept: in a typical scenario, an entity’s data is encrypted and made unavailable until a payment is made. For instance, in California in February 2016, a hospital was forced to pay $17,000 in bitcoin to free its computers of a hacker’s virus. And yet, the Seehotel Jägerwirt attack is seemingly the first report of ransomware involving a physical device of this scale: the “Ransomware of Things,” or “jackware.” This kind of ransomware has the potential to control connected, intelligent objects in the real world. The risks are all too obvious: AT&T has highlighted the concept of a smart car being hacked with its ignition or brakes remotely controlled; in 2015, a hacker claimed to have taken over a plane’s engine controls; in Finland last year, a DDoS attack halted heating in two buildings in the middle of winter.
Martin Kleczynski, CEO of Malwarebytes, explained to WIRED Magazine that “my prediction going forward is that we’re not only going to see ransomware focused on data, we’ll see more ransomware focused on other ways to disrupt a business.” The growth of a thriving criminal infrastructure in cyberspace is an increasingly serious threat that reaches across geopolitical boundaries. As the sophistication of cybercrime increases, so should the urgency of international law’s approach.
What is the Law?
There is no single international framework for cybersecurity law, but there are multilateral efforts to address it, and a growing consensus that establishing such framework is a pressing obligation. Custom – a source of international law – requires general state practice that is performed out of a sense of legal obligation. According to an article in the Chicago Journal of International Law, international agreements like the Budapest Convention, the African Union Convention on Cybersecurity and Data Protection, and the various Association of Southeast Asian Nations working groups on cybercrime are evidence of opinio juris. Arguably, States are acting in the belief that they have an obligation to “enact and enforce cybercrime laws within their territories and to cooperate to prosecute and extradite cybercriminals.”
At the Budapest Convention on Cybercrime (2001), the Council of Europe aimed to “pursue a common criminal policy aimed at the protection of society against cybercrime.” Signatories promised to adopt domestic legislation to establish procedures outlined in treaty, cooperate through mutual legal assistance, even if there were no more specific agreement, and to prosecute cybercrimes committed on their territory. The latter – an issue of safe haven, where perpetrators can commit crimes in one country while sitting in another – is critical to the need for international cooperation, as many cybercrimes are international in scope. A nonbinding U.N. General Assembly Resolution calls on States to “eliminate safe havens” for cybercriminals. But – can the Budapest Convention evolve to tackle new ransomware threats? Microsoft has called the Convention a “gold standard” that is looked to when crafting cybersecurity programs, but multiple countries (Brazil, China and India, etc.) are non-signatories, and there are calls that the treaty is insufficient. There is need for a new instrument.
In its absence, some regions have taken things into their own hands. The African Union Convention on Cybersecurity and Data Protection (2014) was welcomed as a “landmark” initial step to create a legislative framework for cyber security and data protection in the African region. It addresses (1) electronic transactions, (2) personal data protection, and (3) cyber security and cybercrime. Under the convention, each nation would be required to develop a national cybersecurity strategy, and to pass cybercrime laws.
In January 2016, the EU Parliament approved the EU Network and Information Security (NIS) Directive, which was designed to raise cybersecurity capabilities across EU member states. The directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers.” In April 2016, the EU General Data Protection Regulation was adopted, which will “extend the scope of the EU data protection law to all foreign companies processing data of EU residents.” Any company that controls or processes the personal data of Europeans through the offering of goods and services – even if the company has no physical presence in Europe – will be impacted. Both compliance rules come into full effect in May 2018.
In the United States, the Department of Homeland Security’s guidelines for securing “The Internet of Things” suggest implementing security at the design stage, constantly updating systems, and promoting transparency. They also make clear that a “splintered” set of standards and rules will compromise innovation and security. The need for a global, evolving, modern agreement to address cybersecurity and the growing international threat of the Ransomware of Things is very clear.
For their part, Romantik Seehotel Jägerwirt have decided to take inspiration from their “great-grandfathers,” when they address cybersecurity in the wake of the attacks. When they renovate rooms, they will install old-school door locks and keys.