Oxford Statement on International Law Protections in Cyberspace: The Regulation of Ransomware Operations

In the past few months, nothing has reminded everyone of the etymology of the expression “computer virus” like ransomware. This form of malicious code is delivered through a vulnerability in the victim’s system, such as a phishing email or password spraying, infiltrating and potentially crippling it like a disease. Specifically, ransomware is used to encrypt user data and either delete or release that data unless a demand (commonly for money) is met. Ipso facto, ransomware causes by definition adverse consequences for its intended and unintended targets. Even when the ransom is paid or the attacker’s demand is eventually met, frequently a portion of the encrypted data will have been lost anyway and the victim may be forced to stay offline for a while, incurring significant costs to repair or change its systems. Where the victim serves others, for example, providing public goods like healthcare, education, or utilities, the adverse consequences can quickly, and foreseeably, spread beyond the ransomware’s initial targets.  In other cases, the means by which ransomware is delivered — especially when delivered through or as part of a digital supply chain attack — can produce a range of cascade effects harming entities who were not the “real” target of the operation but nonetheless suffer its consequences.

Recent months saw a significant surge in ransomware operations. For instance, in May 2021, Colonial Pipeline, a United States oil pipeline system carrying gasoline and jet fuel, was forced to halt its operations to ensure system safety following a ransomware attack. As a result, there was panic buying and shortage of gasoline which led to the highest average gasoline prices in the US for seven years. The attack on the meat provider JBS has been connected to a rise in the price of beef and pork. In the United Kingdom, ransomware attacks have targeted the education sector with increasing frequency, leading to the loss of student coursework, school financial records and data relating to COVID-19 testing. The internal network of Brazil’s National Treasury was hit by ransomware in August 2021, and September saw a ransomware operation against South Africa’s Justice Department. It is no wonder that — using an expression that has sadly become all too common — we are witnessing a “ransomware epidemic.” The cost of this epidemic, both financially and otherwise, may be very high. According to recent reports, India saw a significant increase in the financial impact of ransomware operations: the approximate recovery cost from the impact of ransomware tripled in the last year, up from $1.1 million in 2020, to $3.38 million in 2021.

The ever-growing number of attacks and increased professionalization of actors behind ransomware operations call for robust action by states to meaningfully protect cyber infrastructure under their jurisdiction and control. Countering ransomware is not just a matter of national security and good governance. It is an obligation under international law, one highlighted in the latest, and fifth, Oxford Statement on the Protections of International Law in Cyberspace. Like previous iterations of the Oxford Process, the Fifth Statement aims to reflect existing principles and rules of international law in their application to cyber operations and to call upon all states and other international actors to abide by them. Previous Oxford Statements on international law protections in cyberspace have focused on the rules of international law when viewed from the perspective of objects or processes which deserve protection, e.g. the rules which apply to cyber operations that target the health sector, vaccine research, electoral processes. However, as with our Fourth Statement, which sets out rules relating to information operations and activities, the present Statement focuses on a specific type or method of cyber operation.

While it may appear obvious that states must not themselves engage in ransomware, calling into play a set of negative obligations under international law, this is just the starting point. Ransomware is a problem not only when state-directed or state-sponsored, but even when carried out by non-state actors and tolerated or acquiesced in by different states, including the one from which it originates. For this reason, all states have an obligation to give effect to the well-established rules of international law requiring them to adopt protective measures against the harm caused by ransomware operations which are carried out by others. Those impose obligations not only to take feasible measures to put an end to harm caused to the rights of other states but also to take measures to prevent the infringement of the human rights of persons within the state in question. Duties to protect against ransomware may be complied with in several ways, ranging from the investigation and punishment of those responsible for ransomware and the training of specialized cybersecurity personnel, to the adoption of technical measures to strengthen cyber infrastructure, international cooperation and information-sharing. We very much hope that the adoption of these and other measures against ransomware will constitute an effective remedy, if not a cure against the particularly pernicious form of cyber operation that ransomware embodies.

Our survey of existing international law — whose results are enshrined in the Statement reproduced below — reveals that there is no space for ransomware in a healthy, peaceful, and prosperous international community. All states are called upon to fully commit to this vision.

The Fifth Statement and its current signatories are reproduced below. As with other Statements, we seek the broadest possible support within the profession from across the globe.  International lawyers who wish to append their name to the statement are invited to express their interest via email to oxfordcyberstatement {at} gmail(.)com.

The Oxford Process is convened under the auspices of the Oxford Institute for Ethics, Law and Armed Conflict whose work on international law in cyberspace is supported by funding from Microsoft and the Government of Japan.

THE OXFORD STATEMENT ON INTERNATIONAL LAW PROTECTIONS IN CYBERSPACE: THE REGULATION OF RANSOMWARE OPERATIONS

Reiterating the commitment expressed in the First, Second, Third and Fourth Oxford Statements to clarify rules of international law applicable in the use of information and communications technologies;

Noting that ransomware (i.e. malware designed to encrypt data and render it unavailable unless a demand is met) is a global threat, having been employed at an escalating pace by a growing number of malicious actors, including states and non-state groups for financial or political purposes, often connected to criminal and other unlawful activities such as terrorism, human and drug trafficking, money laundering, sanctions evasion, and the proliferation of weapons of mass destruction;

Stressing that the COVID-19 pandemic and our increased dependency on the Internet and other information and communications technologies have enhanced vulnerabilities to and opportunities for ransomware and other types of malware that facilitate its distribution, including the targeting of remote control or monitoring systems and the use of phishing emails, malicious websites or false notifications;

Considering that ransomware has, in the vast majority of cases where it has been employed, caused significant and widespread harm to public and private institutions, as well as individuals, such as financial loss, reputational damage, breach of confidentiality, and the significant disruption of critical infrastructure, including healthcare and education, while posing an imminent risk of destructive harm to industrial control systems such as electric grids, water distribution systems and nuclear power plants;

Bearing in mind that ransomware can take increasingly varied and sophisticated forms, including targeted and indiscriminate operations, and lead to the denial of access to and/or the unauthorized release of data if demands are not met;

We agree that:

1. Conduct carried out through information and communications technologies, such as ransomware operations, is regulated by international law.
2. States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations which violate the principles of sovereignty or non-intervention in a state’s internal or external affairs, or amount to a prohibited threat or use of force within the meaning of the Charter of the United Nations. In particular, states must refrain from ransomware operations which are aimed at or result in disruption to electoral systems, healthcare, electric grids, water distribution systems, and nuclear power plants.
3. States must refrain from conducting, directing, authorising or aiding and assisting ransomware operations that result in violations of the human rights of individuals within their jurisdiction, such as the right to life, health, private life, education, property, freedoms of thought and opinion, freedom of expression, including the freedom to seek, receive and impart information and ideas of all kinds.
4. a) States must not allow their territory or infrastructure under their jurisdiction or control to be used by states or non-state actors for ransomware operations that are contrary to the rights of other states, when the former states know or should know of such operations.
   b) To discharge those duties, states from which ransomware operation emanates, in full or in part, must take feasible measures to stop such operations and otherwise address the situation. Such measures may include the conduct of investigations, the adoption of legal and technical measures, as well as cooperation with other states. Any measures taken in this regard must be compliant with applicable obligations under international law, including international human rights law.
5. States must take measures to protect the human rights of individuals within their jurisdiction from harmful ransomware operations, including when such operations are carried out by other states and non-state actors. To discharge this obligation, states may, among other measures, prohibit ransomware by law, take feasible steps to stop ransomware operations, mitigate their effects, investigate and punish those responsible, as well as prevent and suppress ransom payments to the extent possible. Where such protective measures interfere with other human rights, they must conform with applicable legal requirements, such as legitimate purpose, legality, necessity, proportionality and non-discrimination.
6. The use of ransomware during armed conflict is subject to the applicable rules of international humanitarian law (IHL). These rules include, but are not limited to, the duty to respect and ensure respect for IHL, which entails an obligation to prevent violations of IHL; the duties to respect and to protect specific actors or objects, including medical personnel and facilities and humanitarian personnel and consignments; the duties concerning objects indispensable to the survival of the civilian population as well as those concerning works and installations containing dangerous forces; and other rules on the protection of civilians, civilian objects, and of persons who no longer participate in hostilities, such as the sick, wounded, and prisoners of war.
7. The use of ransomware will amount to international crimes, such as genocide, war crimes and crimes against humanity, where the elements of those crimes are fulfilled.
8. The application of the aforementioned rules is without prejudice to any other applicable rules of international law that provide protections against ransomware and related activities.

1. Dapo Akande, Professor of Public International Law, Co-Director, Oxford Institute for Ethics, Law & Armed Conflict (ELAC), University of Oxford
2. Mariana Salazar Albornoz, Member, Inter-American Juridical Committee (OAS) and Professor of International Law, Universidad Iberoamericana, Mexico City
3. Kai Ambos, Professor and Chair of Criminal Law, Procedure, Comparative Law, International Criminal Law and Public International Law, Georg August Universität Göttingen, Germany
4. Joshua Andresen, Deputy Head of School and Reader in National Security and Foreign Relations Law, School of Law, University of Surrey
5. Pouria Askary, Associate Professor of International Law, Allameh Tabataba’i University
6. William Banks, Board of Advisers Distinguished Professor, Syracuse University College of Law
7. Richard Barnes, Professor, The University of Lincoln
8. Orna Ben-Naftali, Professor of Law and Emile Zola Chair for Human Rights, The Striks Law Faculty, The College of Management Academic Studies, Israel
9. Nehal Bhuta, Chair of Public International Law, University of Edinburgh
10. Ziv Bohrer, Senior Lecturer in International Law, Faculty of Law, Bar-Ilan University
11. Michael Bothe, Professor emeritus of Public Law, J.W. Goethe University, Frankfurt/Main
12. Tomer Broude, Professor, Bessie & Michael Greenblatt, Q.C., Chair in Public and International Law, Faculty of Law and Department of International Relations, Hebrew University of Jerusalem
13. Chester Brown, Professor of International Law and International Arbitration, Sydney Law School, University of Sydney
14. Russell Buchan, Senior Lecturer in Law, University of Sheffield
15. Michael Byers, Professor & Canada Research Chair in Global Politics and International Law, University of British Columbia
16. Nicolás Carrillo Santarelli, Associate Researcher, Institute of Human Rights at Business, UDEM University of Monterrey
17. Alejandro Chehtman, Professor of Law, Universidad Torcuato Di Tella (Argentina)
18. Roger S. Clark, Board of Governors Professor Emeritus, Rutgers Law School, Camden, New Jersey
19. Antonio Coco, Lecturer in Public International Law, University of Essex and Visiting Fellow at ELAC, University of Oxford
20. Emily Crawford, Professor, The University of Sydney Law School
21. Rebecca Crootof, Assistant Professor of Law, University of Richmond School of Law
22. Federica D’Alessandra, Executive Director of the Oxford Programme on International Peace and Security, Blavatnik School of Government, University of Oxford
23. Tom Dannenbaum, Assistant Professor of International Law, The Fletcher School of Law & Diplomacy, Tufts
24. Margaret M. deGuzman, James E. Beasley Professor of Law, Temple University Beasley School of Law
25. François Delerue, Senior Researcher in Cybersecurity Governance, Leiden University
26. Diane A. Desierto, Professor of Law and Global Affairs, Faculty Director of LLM Program in International Human Rights, Notre Dame Law School and Keough School of Global Affairs, University of Notre Dame (USA)
27. Talita Dias, Shaw Foundation Junior Research Fellow, Jesus College; Research Fellow, ELAC, University of Oxford
28. William S. Dodge, Martin Luther King, Jr. Professor of Law and John D. Ayer Chair in Business Law, University of California, Davis, School of Law
29. Jessica Dorsey, Assistant Professor of International and European Law, Utrecht University School of Law
30. Pavan Duggal, Chairman, International Commission on Cyber Security Law; Founder-cum-Honorary Chancellor, Cyberlaw University; Advocate, Supreme Court of India
31. Jeffrey L. Dunoff, Laura H. Carnell Professor of Law, Temple University Beasley School of Law
32. Max du Plessis, Senior Counsel and Barrister, South Africa, Adjunct Professor, University of Cape Town and Nelson Mandela University
33. Kristen E. Eichensehr, Martha Lubin Karsh and Bruce A. Karsh Bicentennial Professor of Law, University of Virginia School of Law
34. Martin Faix, Senior Lecturer in International Law, Palacký University Olomouc/Charles University in Prague
35. Tom Farer, Dean Emeritus and University Professor, Josef Korbel School of International Studies, University of Denver
36. David P. Fidler, Senior Fellow for Cybersecurity and Global Health, Council on Foreign Relations (USA)
37. Malgosia Fitzmaurice, Professor of International Law, Queen Mary University of London
38. Micaela Frulli, Professor, Law Department, DSG, Università di Firenze
39. Geoff Gilbert, Professor of International Human Rights & Humanitarian Law, School of Law and Human Rights Centre, University of Essex
40. Chiara Giorgetti, Professor of Law, Richmond Law School, Richmond (VA,USA)
41. Richard J. Goldstone, Retired Justice of the Constitutional Court of South Africa, former Chief Prosecutor of the ICTY and ICTR
42. Guy S. Goodwin-Gill, Professor, Faculty of Law & Justice, University of New South Wales (UNSW); Andrew & Renata Kaldor Centre for International Refugee Law, UNSW; Emeritus Fellow, All Souls College, Oxford
43. Gregory S. Gordon, Professor of Law, The Chinese University of Hong Kong Faculty of Law
44. James A. Green, Professor of Public International Law, Head of Research, Bristol Law School, OWE Bristol
45. Douglas Guilfoyle, Associate Professor of International and Security Law, University of New South Wales Canberra
46. Oleg Gushchyn, Professor, Military Law Department, Taras Shevchenko National University of Kyiv, Ukraine
47. Yael Vias Gvirsman, Director of the International Criminal and Humanitarian Law Clinic, Harry Radzyner Law School, Reichman University, Attorney and Consultant specializing in International Law
48. Steven Haines, Professor of Public International Law, University of Greenwich
49. Monica Hakimi, James V. Campbell Professor of Law, University of Michigan Law School
50. Adil Haque, Professor of Law and Judge Jon O. Newman Scholar, Rutgers Law School
51. Mohamed S. Helal, Associate Professor of Law, The Ohio State University; Member, Permanent Court of Arbitration; Member, African Union Commission on International Law
52. Kevin Jon Heller, Professor of International Law and Security, University of Copenhagen (Centre for Military Studies); Professor of Law, Australian National University
53. Christian Henderson, Professor of International Law, University of Sussex
54. Stacey Henderson, Lecturer, Adelaide Law School, The University of Adelaide
55. Duncan B. Hollis, Laura H. Carnell Professor of Law, Temple University School of Law
56. María José Cervell Hortal, Professor of Public International Law and International Relations, University of Murcia, Spain
57. Deborah Housen-Couriel, The Federmann Cyber Security Research Center at the Hebrew University of Jerusalem; Chief Legal Officer and VP Regulation at Konfidas Digital Ltd
58. Karen Hulme, Professor of Law, University of Essex, United Kingdom
59. Eric Talbot Jensen, Robert W. Barker Professor of Law, Brigham Young University
60. Derek Jinks, A.W. Walker Centennial Chair in Law, University of Texas School of Law
61. Kate Jones, Associate Fellow, Chatham House
62. Ido Kilovaty, Associate Professor of Law, University of Tulsa College of Law
63. Pierre Klein, Professor, Université libre de Bruxelles
64. Robert Kolb, Professor of Public international law, University of Geneva
65. Leonhard Kreuzer, Research Fellow, Max Planck Institute for Comparative Public Law and International Law, Heidelberg, Germany
66. Joanna Kulesza, tenured Professor of International Law and Internet Governance, University of Lodz, Poland
67. Masahiro Kurosaki, Associate Professor of International Law and Director of the Study of Law, Security and Military Operations, National Defense Academy of Japan
68. Henning Lahmann, Hauser Global Postdoctoral Fellow, NYU School of Law
69. Eliav Lieblich, Professor of Law, Buchmann Faculty of Law, Tel Aviv University
70. Noam Lubell, Professor of International Law, Director of the Essex Armed Conflict and Crisis Hub, School of Law & Human Rights Centre, University of Essex
71. Asaf Lubin, Associate Professor of Law, Indiana University Maurer School of Law; Faculty Associate, Berkman Klein Center for Internet and Society, Harvard Law School; Affiliated Fellow, Information Society Project, Yale Law School

72. Kubo Mačák, Legal Adviser, Legal Division, International Committee of the Red Cross
73. Fabrizio Marrella, Full Professor of International Law and Vice Rector for International Relations and International Cooperation, “Ca’ Foscari” University of Venice, Italy; Professeur invité, Sorbonne Law School
74. Errol P. Mendes, Full professor of constitutional and international law, University of Ottawa, Canada; President, International Commission of Jurists, Canadian Section
75. Tomohiro Mikanagi, Ministry of Foreign Affairs, Japan
76. Marko Milanovic, Professor of Public International Law, University of Nottingham School of Law
77. Lindsay Moir, Professor of International Law, University of Hull Law School
78. Evgeni Moyakine, Assistant Professor, Section IT Law / STeP Research Group, Faculty of Law, University of Groningen
79. Harriet Moynihan, Acting Director, International Law Programme, Chatham House (Royal Institute of International Affairs)
80. Roda Mushkat, Professor of International Law, Johns Hopkins University, Paul H. Nitze School of Advanced International Studies (SAIS)
81. James C. O’Brien, Vice-Chair, Albright Stonebridge Group
82. Mary Ellen O’Connell, Robert and Marion Short Professor of Law and Research Professor of International Dispute Resolution, Kroc Institute for International Peace Studies, University of Notre Dame
83. Stefan Oeter, Professor of public International Law and Director of the Institute of International Affairs, Faculty of Law, University of Hamburg
84. Obiora C. Okafor, Edward B. Burling Chair in International Law and Institutions, School of Advanced International Studies, Johns Hopkins University, Washington DC, USA
85. Roger O’Keefe, Professor of International Law, Bocconi University
86. Inger Österdahl, Professor in Public International Law, Faculty of Law, Uppsala University
87. Bruce Oswald, Professorial Fellow, Melbourne Law School, University of Melbourne
88. Jordan J. Paust, Professor Emeritus, University of Houston Law Center
89. Sejal Parmar, Lecturer, School of Law, University of Sheffield
90. Anni Pues, Lecturer in International Law, Glasgow Centre for International Law and Security, University of Glasgow
91. José Antonio Moreno Rodríguez, Arbitrator, Permanent Court of Arbitration; Member, Inter-American Juridical Committee of the Organization of American States
92. Przemysław Roguski, Lecturer in Law, Jagiellonian University in Kraków, Poland
93. Barrie Sander, Assistant Professor, Leiden University – Faculty of Governance and Global Affairs
94. Andrew Sanger, University Lecturer in International Law, University of Cambridge
95. Marco Sassòli, professor of international law, University of Geneva, Switzerland
96. Ben Saul, Challis Chair of International Law, The University of Sydney
97. Sergey Sayapin, Associate Professor and Associate Dean, School of Law, KIMEP University, Kazakhstan
98. David J. Scheffer, Former U.S. Ambassador at Large for War Crimes Issues; Clinical Professor Emeritus and Director Emeritus, Center for International Human Rights, Northwestern University Pritzker School of Law
99. Michael Schmitt, Professor of International Law at the University of Reading and G. Norman Lieber Distinguished Scholar at the United States Military Academy (West Point)
100. Bruno Simma, former Judge at the International Court of Justice; Judge, Iran-United States Claims Tribunal
101. David Sloss, John A. and Elizabeth H. Sutro Professor of Law, Santa Clara University School of Law
102. Lucía Solano, Legal Adviser to the Permanent Mission of Colombia to the United Nations in New York
103. Alfred H.A. Soons, Professor emeritus of public international law, Utrecht University School of Law, The Netherlands
104. Arun Mohan Sukumar, PhD Candidate and pre-doctoral research fellow, Centre for International Law and Governance, The Fletcher School, Tufts University
105. Professor Surya P. Subedi, QC, OBE, DC, Professor of International Law, University of Leeds, and Barrister, Three Stone Chambers, Lincoln’s Inn, London
106. Patrick C. R. Terry, Dean and Professor of Law, University of Public Administration Kehl
107. Kimberley Trapp, Professor of Public International Law, University College London
108. Nicholas Tsagourias, Professor of International Law, University of Sheffield
109. Tsvetelina van Benthem, Research Officer, ELAC
110. Larissa van den Herik, professor of public international law, Grotius Centre for International Legal Studies, Leiden University
111. Willem van Genugten, Professor em. of International Law, Tilburg University, The Netherlands
112. Liis Vihul, Founder and CEO, Cyber Law International
113. Michael Waibel, Professor of International Law, University of Vienna, Austria
114. Christopher Waters, Professor, Faculty of Law, University of Windsor
115. Steven Wheatley, Professor of International Law, University of Lancaster
116. Jan Wouters, Full Professor of International Law and International Organizations, Jean Monnet Chair ad personam, Director Leuven Centre for Global Governance Studies – Institute for International Law, KU Leuven
117. Pål Wrange, Professor of Public International Law, Stockholm University, and Director of the Stockholm Centre for International Law and Justice (SCILJ)