When I sat down with Eric Sinrod to look at our predictions for technology law in 2022, I looked at the possibility of conflict and how that might spill over to put businesses of all shapes and sizes at risk. You can watch that film here www.bit.ly/techlaw2022. That’s one prediction that I really hoped would not come true. But now that it has, what are the likely effects of the war in Ukraine?
Everyone is a target
History has taught us that offline conflicts spill over into the online world very quickly. Russia has considerable resources at its disposal for disinformation but also for attacking critical infrastructure in Ukraine and those who it perceives to be siding with Ukraine. Attacks have and will come from state actors. Given increased tensions it is also highly unlikely that Putin’s recently announced strategy of bringing ransomware gangs to justice will continue. Aggressors in this situation often rely on chaos and either supporting or turning a blind eye to ransomware is likely to be a key part of that. The announcement by the infamous Conti ransomware gang that they are joining the war on Putin’s side would seem to confirm that. Conti has previously attacked infrastructure targets including Ireland’s health system. Ukraine’s national infrastructure is clearly better prepared than many for these types of attack and state actors may as a result turn their attention to softer targets.
Ransomware gangs in countries like China and North Korea might also step up their operations.
There are also those engaged in cyber warfare in support of Ukraine. People close to the Ukrainian Government have openly asked for support and shared a list of targets. The initial list of Russian targets has been posted online and includes Russian corporate entities like Gazprom, Lukoil and three Russian banks. In addition, a number of hacking organisations have promised support to the Ukrainian people including the Anonymous Group who claim to have attacked Russian TV stations for their own broadcasts. Those broadcasts reportedly started with Ukrainian folk songs and then moved to a documentary telling Russian viewers the true nature of Putin’s attacks. Anonymous also claim to have altered records relating to Putin’s private yacht and published what it claimed were battle command instructions.
Conti have themselves also been the target of counter-attacks and rumours are circulating that the group is splintering as some of the group disassociate themselves with the Russian regime. It is important to remember that ‘gangs’ like Conti and Anonymous are in practice often quite fluid organisations. They break up and reappear elsewhere which again adds to the sense of chaos when trying to defend against these attacks.
As a result of this chaos, even if some attacks are planned out with infrastructure targets on each side, experience tells us that wars like this usually spill over into attacks on innocent targets. Ransomware gangs are somewhat scattergun in their attacks and even state actors can make the wrong assumptions – for example, the attack on UK TV personality Keith Chegwin in 2001 after he was assumed to be an agent of the US Government by Chinese attackers.
It follows that it is probably a good idea for everyone to think that they are a possible target and to take action appropriately. For infrastructure providers, this is likely to mean looking at their obligations not only under GDPR, but under legislation like NIS as well. There’s more on NIS and the proposed extension to that regime here https://www.corderycompliance.com/client-alert-nis-2-directive/
Will an organisation still be liable if there is a data breach?
The answer is almost certainly yes. Regulators and courts may have more sympathy with anyone attacked at this time – whether they were targeted on purpose or were simply collateral damage – but the liability position remains unchanged. As we have said in recent alerts and in our film here https://www.corderycompliance.com/episode-271-techlaw10-legal-class-actions-us-europe/ data protection litigation has grown enormously in Europe in the last two years. Those bringing these cases are unlikely to pass a case by.
The obligation remains under GDPR to put in place adequate technical and organisational measures (TOMs). In many cases, attackers in times of war use the same techniques as attackers in times of peace. They will look for vulnerabilities in an organisation’s system – including known exploits in common software that has not been patched. They will also be looking at critical suppliers to see if one attack can harm many. We have looked recently at the effects of the Blackbaud attacks – see here https://www.corderycompliance.com/blackbaud-revisited/. Another example might be the attack on UKG’s Kronos systems at the end of last year which affected a wide range of organisations big and small. We can expect more attacks on suppliers and partners as well as attacks on the organisation itself.
What about insurance?
Most organisations will need to check their policy wording even if they think they have a policy in place which might cover these events. Insurance policies will commonly have a war exclusion clause which will seek to specifically exclude coverage for acts of war, such as invasions, insurrections, revolutions, military coups, and terrorism. Insurers have previously denied coverage under similar clauses. In 2017, Russia was said to be behind a malware attack known as NotPetya that affected computer systems worldwide, including those of multinational pharmaceutical company Merck & Co. Merck sought to rely on its insurance to make good its losses. The insurer denied coverage relying on a war exclusion clause but Merck issued proceedings in the US arguing that the facts demonstrated that NotPetya “was not an official state action, but rather was a form of ransomware, and moreover that even if it was instigated by Russia to harm Ukraine, the exclusion would still not apply.” Since the Merck case however many insurers (including Lloyd’s) have tightened up their policy wording and some attacks here may be closer to the circumstances envisioned by a common war exclusion clause.
What about ransomware payment risk?
There are already sanctions against those connected with ransomware, for example in April 2021, the US imposed sanctions against 32 entities and officials involved in cybercrimes “and other acts of disinformation”. The April 2021 sanctions were said to be partially in response to a number of cyberattacks including the SolarWinds attack.
In December 2019, the US Treasury Department’s Office of Foreign Asset Controls (OFAC) took action against Evil Corp, another Russian based gang, and charged two of Evil Corp’s members with criminal violations. In July 2020 the EU also imposed sanctions in response to the WannaCry, NotPetya, and Operation Cloud Hopper ransomware attacks. Those sanctions cover individuals and organisations with connections to China, North Korea and Russia.
In September 2021 OFAC also added a currency exchange to its sanctions list. SUEX (a.k.a. “SUCCESSFUL EXCHANGE”) a provider with a presence in both Russia and the Czech Republic was suspected of helping process ransomware payments. So there is a risk that any payments made could involve sanctioned entities – either in the crypto world or real life Russian banks – in the payment chain as well as the risk of sanctioned entities ultimately receiving the money. There are details of some of the Russian banks and financial institutions which have been sanctioned here https://www.corderycompliance.com/uk-sanctions-on-russia/.
There are more details of the issues with paying ransoms here https://www.corderycompliance.com/ransomware-pay-or-not/.
There is an added problem with sanctions since attribution can be difficult – how do you know who is attacking you and how do you know with certainty where the money is going? One of the big problems with paying ransoms is the fact that you often don’t know who is behind the attack and if you are paying in cryptocurrency, you don’t know where the money is going. Any payments to ransomware gangs have a heightened sanctions violation risk as a result.
What can we do?
- Training and awareness is key. As we have said before, make sure that you are raising awareness of the heightened current risk with your employees and sub-contractors.
- Make sure that your cybersecurity stance recognises the heightened risk. Patching software remains vitally important. You might want to implement a four-eyes system to make sure that somebody is independently verifying the fact that patches have been done.
- Rehearse – breaches are inevitable so preparation is a wise investment. This might include having good lawyers on standby since we know that the initial hours after a breach are crucial in successfully defending claims. This is also likely to include rehearsing a breach for example with a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2/).
- Looking in detail at contracts with vendors and other third parties. You will need to look carefully at emphasising your processors’ obligations to let you know immediately if they suspect a possible breach. In our view audit rights are also important – too often organisations are vague about cause and effect and it can take the exercise of audit rights to get proper information.
- You may also want to consider your position on ransomware payments and agree a strategy in advance. We have a more detailed note looking at the ‘To Pay or Not to Pay’ considerations for ransomware here https://bit.ly/ransompay.
- Finally it is worth remembering that you’re unlikely to be able to insure this risk away – insurers are tightening up on coverage where ransomware is involved.
For Further Information
There is a podcast from the BBC explaining some of North Korea’s capabilities in this area – https://www.bbc.co.uk/programmes/w13xtvg9
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
The photograph which accompanies the blog was taken in Moscow in 2013. For context you can see the clip here https://youtu.be/0pFX1lziudA.
NCSC has issued further guidance here https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|