American hospitals are increasingly falling victim to cyber attacks recently, NPR reported. Specifically, they’re being targeted in “ransomware” schemes, where hackers lock up data and demand money from its owners to get it back. Cybersecurity contends with illegal system intrusions.
According to NPR, cyber criminals are increasingly targeting the health care industry for money. “Some U.S. hospitals have been hit by coordinated ransomware attacks designed to infect systems for financial gain,” the article said. “The agencies said hackers are using Ryuk ransomware—malicious software used to encrypt data and keep it locked up—and the Trickbot network of infected computers to steal data, disrupt health care services, and extort money from health care facilities.
“Such data hijacking often cripples online systems, forcing many to pay up to millions of dollars to restore their services.”
Defining and opposing illegal system intrusions like these is a major part of cybersecurity.
Parameters of Cybercrime
Defining cybercrime—especially hacking—is more difficult than we’d expect.
“In the United States, the controlling law is the Computer Fraud and Abuse Act, or CFAA, which makes it a crime to access a computer without or in excess of authorization,” said Professor Paul Rosenzweig, Professorial Lecturer in Law at The George Washington University Law School. “But how do we determine what the limits of your authorization are? Since the term is not defined in law, the courts have looked to contractual arrangements that govern the use of a computer or internet systems.”
These contractual arrangements are the “Terms of Service” associated with many websites used by the public. Professor Rosenzweig said the interesting part is that it means private corporations are effectively establishing what conduct violates federal law when they set up their company policies.
“What this new rule does is create computer crimes for activities that are not crimes in the physical world,” Professor Rosenzweig said. “If an employee photocopies an employer’s confidential document to give to a friend without that employer’s permission, there is no federal crime, though there probably is a contractual violation. However, if the same employee e-mails that document to a friend, that’s a CFAA crime.”
The Trouble with Borders
Preventing and solving cybercrime hits a hurdle when it comes to identifying and stopping the culprits.
“The reality is that cybercrime is predominantly transnational in character,” Professor Rosenzweig said. “In the real world, we can find fingerprints and the like, but the possibility of action at a distance in cyberspace makes it very hard to capture criminals who can remain anonymous.
“So we are faced with a vexing situation: High-profit criminality can occur with low risk of capture.”
This hinders the practice of crime deterrence, which threatens criminal behavior with a high likelihood of arrest and punishment. There’s also an international problem to consider. Professor Rosenzweig said that Depression-era bank robbers could escape punishment simply by crossing state lines so state law officials couldn’t prosecute them in other states. The U.S. government solved this by making bank robbery a federal offense, thus eliminating boundaries.
“Unfortunately, in the international context, that kind of agreement isn’t realistic,” he said. “Today we are just at the beginning of constructing a transnational set of procedural rules of cybercrime.”
Problems like anonymity and transnational crime and punishment may need to be addressed before effective cybercrime laws can truly be put into place.
Professor Paul Rosenzweig contributed to this article. Professor Rosenzweig is a Professorial Lecturer in Law at The George Washington University Law School. He earned his JD from the University of Chicago Law School and then served as a law clerk to the Honorable R. Lanier Anderson III of the United States Court of Appeals for the Eleventh Circuit.