In 2020, losses due to ransomware attacks hit $20 billion.[1] Nearly double the losses that corporations experienced in 2019.[2] These attacks increased largely due to countries like Russia providing safe havens for cybercriminals by refusing to extradite them provided they don’t attack Russia itself.[3] International efforts to curb the recent surge in attacks are ramping up.[4]
Some attempts to solve the extradition problem include the Budapest Convention, which facilitates mutual assistance and extradition between signatories, but many important countries, including Russia, have refused to join the convention.[5] Other efforts include this year’s G-7 meeting, where hope for progress increased when Russian President Vladimir Putin stated that extradition would occur “only if the . . . the United States agrees to the same and will also extradite corresponding criminals to the Russian Federation.”[6] However, even if these talks result in an extradition treaty between Russia and the United States, there would only be temporary relief as hackers could find a new safe haven.[7] To help curb the problem of increased ransomware attacks, international arbitration, just like extradition, should be given serious attention.
Today, the United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards of 1958, also known as the New York Convention, could be used to promote accountability for transnational ransomware attacks.[8] Notably 157 countries, including Russia, are signatories.[9] This is a solution that could provide continuous enforcement against bad actors and the framework for a new arbitration scheme is readily available.[10]
To make some actors in countries like Russia accountable, companies, such as internet service providers, should require that disputes relating to ransomware attacks be subject to international arbitration.[11] Additionally, a new arbitration scheme could be tailored to the unique problems that ransomware attacks introduce, one that would allow corporations or states to sue perpetrators who violate terms, like the International Telecommunication Union.[12]
This writer believes that the solution offered by this possible framework should be aggressively pursued, while acknowledging its shortcomings. There are three major shortcomings with this approach.
First, if this new arbitration scheme is created, there will be a possibility of arbitration actions that do not solely target cyber-criminal activity, but internet use that is not cyber-criminal activity and yet is deemed a violation of the terms of service.[13] This is due to the nature of arbitration, since what is subject to arbitration actions would be as broad as what the terms of service agreement deems arbitrable.[14] While this is concerning to the open and decentralized nature of the internet, a solution could come in the form of limiting language in the new international arbitration framework that is drafted to limit those enforceable arbitration terms to only actions that are transnational and constitute cyber-crimes.
The second issue is the nature of arbitration itself. While this method does provide some form of potential recovery for companies, it does not have the enforcement power that extradition carries.[15] Criminal organizations could possibly absorb the costs that are incurred from arbitration and remain operable. While this option is certainly weaker than the criminal actions that might come with extradition, international arbitration schemes that already exist are easier to adopt since they are not seen as undermining a country’s sovereignty, unlike extradition.[16]
The last issue applies to both arbitration and extradition. Even with extradition and arbitration available, these legal avenues do not solve some of the glaring issues of cyber-crime. According to former FBI special agent in charge of fighting cybercrime, catching a hacker is very, very difficult.[17] Even a novice can hide their identity using “obfuscation” technologies.[18] Another issue is that the world is suffering from a skill shortage.[19] It is so great that there are currently 3.5 million unfilled cybersecurity jobs worldwide.[20] This skill shortage, while estimated to be better in four to five years, prevents arbitration and extradition from helping to resolve the ransomware crisis, since companies and government agencies lack the personnel to track down the bad actors.[21]
In conclusion, while there are issues with the arbitration approach, it is seemingly one of the more possible avenues of reducing economic pain resulting from the recent increase in ransomware attacks. Ransomware is an international legal issue, and all avenues should be pursued to help relieve the economic burden it puts on corporations, including extradition and international arbitration.
[1] 2021 Ransomware Statistics, Data, & Trends, PurpleSec, https://purplesec.us/resources/cyber-security-statistics/ransomware/ (last visited Sep. 10, 2021).
[2] Id.
[3] Lynsey Jeffery, Why Ransomware Attacks are on the Rise – and What Can be Done to Stop Them, PBS (July 8, 2021, 3:28 PM), https://www.pbs.org/newshour/nation/why-ransomware-attacks-are-on-the-rise-and-what-can-be-done-to-stop-them.
[4] Maria Korolov, Russia Cybercrime: Is Extradition Ahead?, DataCenter Knowledge (June 15, 2021), https://www.datacenterknowledge.com/security/russian-cybercrime-extradition-ahead.
[5] Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Intl. L. 191, 217 (2018).
[6] Korolov, supra note 4.
[7] Id.
[8] United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards, June 10, 1958, 330 U.N.T.S. 38; Perloff-Giles, supra note 5.
[9] List of Contracting States, N.Y. ARB. Convention, http://www.newyorkconvention.org/list+of+contracting+states (last visited Sep. 10, 2021).
[10] Perloff-Giles, supra note 5, at 211—12.
[11] Id. at 213.
[12] Id.
[13] What is International Arbitration?, Aceris Law LLC, https://www.international-arbitration-attorney.com/what-is-international-arbitration/ (last visited Oct. 14, 2021).
[14] See also Michael P. Malloy, Current Issues in International Arbitration, 15 Transnat’l Law. 43, 44-45 (2002).
[15] Reza Mohtashami OC, Non-Compensatory Damages in Civil and Common Law Jurisdictions: Requirements and Underlying Principles, Global Arbitration Review (Feb. 1, 2021), https://globalarbitrationreview.com/guide/the-guide-damages-in-international-arbitration/4th-edition/article/non-compensatory-damages-in-civil-and-common-law-jurisdictions-requirements-and-underlying-principles (Stating that damages are largely limited to monetary damages in the form of recovery or in limited circumstances, punitive damages).
[16] Perloff-Giles, supra note 5, at 211.
[17] Charles Orton-Jones, Catching Hackers is Not Getting Easier, Raconteur (Mar. 8, 2016), https://www.raconteur.net/technology/cybersecurity/catching-hackers-is-not-getting-easier/.
[18] Id.
[19] Jeffery, supra note 3.
[20] Id.
[21] Id.