Ransomed, hacked and attacked?: You'll 'WannaCry'
From a legal perspective, the law has been a bit slow in keeping up with technological changes involving cyber security, but things are now starting to move, says Kim Rew, Partner, Webber Wentzel.
In the recent 2017 Global Risks Report published by the World Economic Forum, cyber attacks and data fraud or theft, were listed as some of the highest risks facing corporates and individuals in today's world, both in terms of impact and likelihood. These risks even outweighed the traditional risks that have kept executive board members awake at night, such as economic downturns, competition and fast paced regulatory changes, says Kim Rew, Partner, Webber Wentzel.
So it was no surprise that, with this report hardly cold off the press, we saw the massive ransom attack of 12 May 2017, which hit over 150 countries and more than 200 000 computers in one foul swoop. It has been called the biggest global ransom attack to date.
Unlike malware, ransomware does not steal data. Instead, it simply holds the data captive by encrypting files and then sending a "ransom note" to the victim, demanding payment for the release of the data, and threatening a total loss of the data should the ransom not be paid.
In the most recent ransom attack called "WannaCry", the hackers used a tool to encrypt files within computers that were affected, thus making them inaccessible whilst they demanded the ransom. The attack was levied at Microsoft users who had not updated their systems with the most recent patch released by Microsoft in March this year.
The attack was not selective and the effect was felt across the globe from hospitals, government agencies, car manufacturers, logistic and oil companies, right down to small businesses and individuals. The attack saw global chaos in a number of businesses, with production at some factories being halted, and people being asked to leave hospitals unless it was an absolute emergency.
The ransom payment sought was not significant either - a simple USD 300 in bitcoin (approximately ZAR 4 000). Given the consequences of being locked out from your data for a significant period of time, or the potential of losing the data forever, it was no surprise why so many victims chose to pay the ransom, a practical human response that the attackers no doubt relied upon. Make the ransom too expensive, and the chances of payment decreases. That is not to say that previous ransom attacks have not been more expensive - according to reports, last year a Hollywood hospital paid over USD 17 000 in bitcoin in a single ransom attack.
But is the paying of these small ransom amounts adding to the problem? Insurance companies granting cyber cover to clients, cover which may include ransom cover, will have to think carefully about when and how they will cover the ransom demands, as these payments can no doubt open the proverbial Pandora's box.
On local soil, a recent report by McAfee revealed that cybercrime costs South African companies more that ZAR 5 billion in direct or indirect costs every year. Although there are many numbers thrown around in terms of costs and losses, true costs are almost impossible to determine and the number of attacks and costs to the economy are just mind boggling.
The WannaCry attack was a significant reminder of the continuing need for proper "Digital hygiene". Much has been written on this. There are some steps that one can take to minimise the risk of attack and these should always be at the forefront of one's mind and strictly applied in corporate IT policies. These include things like being aware of potential phishing sites; not installing software, plugins or extensions unless from a reputable source; updating software; running the latest security versions; and always backing up your data.
From a legal perspective, the law has been a bit slow in keeping up with technological changes, but things are now starting to move. The Electronic Communications and Transactions Act broadly includes ransomware attacks under interception of data. However, the new Cybercrimes and Cybersecurity Bill specifically deals with the intentional and unlawful interference not just of data but also of a computer program. The new Cybercrimes and Cybersecurity Bill (the Bill) which has been tabled before Parliament defines numerous new cybercrimes, which were impossible to prosecute before. The Bill is currently waiting to be opened for the first round of public comment.
The Bill applies to everyone. In addition to the many new cybercrimes, the Bill imposes extensive cybersecurity obligations on electronic communications service providers, financial institutions, payments system institutions, and any company, entity, or person who is declared by the Minister of State Security to own or control critical information infrastructure. Due to the broad language of the Bill, these obligations extend well past the traditional understanding of financial institutions, payment systems institutions and electronic communications service providers. The Cybercrimes Bill emphasises information sharing between government on the one hand, through its Cybersecurity Hub; and the private sector on the other hand.
In its Parliamentary briefing in February 2017, the Cybersecurity Hub stated that they are already in talks with stakeholders in the logistics, financial, and communications sectors on information sharing arrangements. This Bill affects many material responsibilities under the Protection of Personal Information Act, the Hate Speech Bill, and the Twin Peaks Bill. Non-compliance carries imprisonment or a fine. This creates a risk for the private sector, which now needs to master this web of compliance...quickly.