Reactie internetconsultatie Tijdelijke wet onderzoeken AIVD en MIVD naar landen met een offensief cyberprogramma

Tot 17 april 2022 kan je reageren op internetconsultatie.nl op het wetsvoorstel ‘Tijdelijke wet onderzoeken AIVD en MIVD naar landen met een offensief cyberprogramma’.

Het wetsvoorstel is belangrijk, omdat het nieuwe bepalingen bevat met betrekking tot de hackbevoegdheid en onderzoeksopdrachtgerichte interceptie (bulkinterceptie). Het idee is toezicht deels te verleggen van vooraf naar toezicht tijdens en achteraf. Op die manier wordt de diensten meer flexibiliteit en meer armslag gegeven. Ook wordt een beroepsprocedure geïntroduceerd bij de Afdeling bestuursrechtspraak van de Raad van State.

Het betreffen wijzigingen in een tijdelijke wet gedurende vier jaar, maar het zijn desalniettemin hele belangrijke wijzigingen. Dat maakt volgens ons een tussentijdse evaluatie noodzakelijk voor de aankomende grote wetswijziging van de Wet op de inlichtingen- en veiligheidsdiensten 2017. In onze reactie (.pdf) op internetconsultatie gaan we verder in op de reikwijdte van het wetsvoorstel, de inzet van de hackbevoegdheid in het kader van strategische operaties en het voorgestelde beroepsstelsel.

Kortgezegd vinden we dat de reikwijdte van het wetsvoorstel beter moet worden omgeschreven en de ministers ook zouden moeten reageren op wat de rol van de diensten is bij criminele groeperingen die de nationale veiligheid bedreigen, bijvoorbeeld door de inzet van ransomware. Ook vinden we dat de inzet van de hackbevoegdheid in de context van ‘strategische operaties’ beter moet worden uitgelegd. Willen de ministers misschien aansluiten bij het concept van ‘active cyber defense’? Dan kan dat ook beter worden omschreven.

Ten slotte vinden we dat de beroepsprocedure bij de Afdeling niet voldoende wordt uitgewerkt in het wetsvoorstel. De noodzaak van de beroepsprocedure en de verhouding met de Awb en de Procesregeling met de mogelijkheid van de inzet van deskundigen en amicus curiae, moet duidelijker. Ook bevelen we aan eens over de grens te kijken hoe bijvoorbeeld de ‘Foreign Intelligence Surveillance Court’ (FISC) te werk gaat.

Jan-Jaap Oerlemans & Sophie Harleman

Death by ransomware

On 10 September 2020, ransomware infected 30 servers at University Hospital Düsseldorf, crashing systems and forcing the hospital to turn away emergency patients. As a result, German authorities stated that a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays. On 28 September, another alarming news article stated that ‘a major hospital chain’ was targeted with ransomware in ‘more than 400 locations’ (!) across the USA. Ransomware is malicious software (malware) that blocks access to someone’s computer system or files on the system and subsequently demands a ransom to be paid for unlocking the computer or files. For years, ransomware is the no. 1 popular malware among cybercriminals (see Europol).

In this blog post, I examine these incidents and reflect upon them from a Dutch legal perspective, because ransomware incidents in hospitals also take place in the Netherlands. I also consider whether IT systems in healthcare are a ‘vital infrastructure’, which may receive special protection from the Dutch National Cyber Security Centre.

Murder by ransomware?

Ransomware targeting hospitals is unfortunately not new. In 2016, news reports mentioned ransomware targeting a hospital in Los Angeles (USA). The Dutch government stated that between 2014 and 2017, four incidents occurred with ransomware in Dutch hospitals. The EU cyber security agency ENISA warned in 2018 that ransomware increasingly targeted medical devices and hospitals in order to demand a higher amount in ransom, as opposed to infecting computers of individuals. Individuals will only pay for decrypting one PC for example, whereas business and hospitals may pay hundreds of thousands of euros to decrypt many computers (such as servers storing valuable information).

Earlier this year (2020), a ransomware attack occurred at a hospital in Leeuwarden, the Netherlands. These attacks may seek to infect computers with ransomware to earn money, but may also lead to different types of extortion when perpetrators demand payment under threat of releasing medical records.

In Germany, the ransomware infections have led to an unfortunate chain of events, in which the unavailability of computers made it impossible to take care of certain patients in their hospital. News articles mention how authorities contacted the cybercriminals to shut down their ransomware, because they infected computers at a hospital and threatened the lives of patients. The cybercriminals, supposedly unaware their malware infected computers in a hospital complied, but it was unfortunately too late for one patient.

As such, the German public prosecution service is investigating whether the perpetrators can be charged with murder. The high sentence for this most serious crime makes it an attractive option for prosecution authorities, reflecting the seriousness of the consequences of this particular attack. In the Netherlands, many articles in our Penal Code can also be considered in a situation like this, such as article 161sexies(3), which states that infecting a computer with malware that endangers the life of person and results in their death can lead to imprisonment for a maximum of 15 years.

Difficulties in prosecuting for ransomware

Gathering the necessary evidence to prosecute the suspect can be extremely difficult, especially when the suspect resides outside the investigating State’s territory (in my PhD thesis ‘Investigating Cybercrime’ I researched these problems extensively). Usually, ransomware is deployed to earn money in cryptocurrency (such as Bitcoin). In our open access article ‘Laundering the profits of Ransomware’ published last summer, we (Custers, Oerlemans & Pool) examined the relationship between money laundering and ransomware. Possibly, this research may provide insights for law enforcement authorities to collect evidence based on the money trail in ransomware incidents. But maybe it works more like the cyber security guru ‘The Grugq’ said on Twitter:

Prediction: The ransomware kid — who’s hacking lead to a woman’s death in Germany — has done more for advancing cyber norms than any paper, book, article, talk, conference, round table, etc etc. have ever managed to accomplish.”

Cyber security and hospitals in the Netherlands

The incident in Germany made me wonder what the state of security is at hospitals in the Netherlands. It seems to me that when computer systems are adequately secured, network traffic is monitored and the IT infrastructure is separated, catastrophic security incidents like the above can be avoided in some cases, or the seriousness of the consequences can be reduced.

A quick look into parliamentary history reveals quite some attention for cyber security in hospitals, usually after an incident occurred. Over the years, parliamentary members questioned the minister of Justice and Security several times about the state of cyber security of hospitals (see, these answers to parliamentary questions in 2016, 2017, 2018, and recently these answers in 2020 regarding a cyber security incident at hospitals in Leeuwarden). The Dutch government emphasized repeatedly in their response that IT security at hospitals is their own responsibility and not a ‘vital process’ relating to national security that requires extra (national) protection.

In August 2020, this position changed somewhat with new legislation that grants the National Cyber Security Centre the task to aid in security incidents for organisations in the healthcare sector. Over the years, the National Cyber Security Centre set up an ‘Information Sharing and Analysis Centre’ (ISAC) for the healthcare sector to facilitate information sharing regarding threats. Also, a ‘Computer Emergency Response Team’ (CERT) was set up for the healthcare sector (“Z-CERT”).

Hopefully, these serious cyber security incidents inside and outside the Netherlands lead to some real changes in order to properly secure vital IT infrastructures, such as the infrastructure of hospitals. There appears to be a tension in finding the correct balance in relying upon the private protection of IT-systems and providing enough security with aid of the National Cyber Security Centre. It is interesting to see how this may change in the near-future.

This is cross post from Montaigne Blog.

— UPDATE —-

It turns out the German patient would have died due to her medical conditions, regardless of the ransomware attack. In this interesting in-depth Wired article, the doctor states it will be only a matter of time before a patient does die because of a ransomware attack at a hospital.