Catching Wizard Spider: How a New U.N. Cybercrime Treaty Can Address Ransomware Attacks from Russia and Beyond

Introduction

In June 2022, a Russian-linked ransomware group attacked the Costa Rican government, targeting over twenty-seven agencies and sending Costa Rica’s healthcare system “into a spiral.” The group, called Conti, has a history of targeting healthcare organizations and supports Russia’s war in Ukraine. It has perpetrated over 1,000 ransomware attacks and extorted over 180 million dollars from its victims. Since cyberspace transcends national boundaries, international cooperation is required to effectively regulate cyber threats. The time is right for the international community to reassess what international law can do to stop international cyberattacks, including ransomware attacks.

U.N. negotiations for a new cybercrime treaty are underway and a final text is expected to be ready by early 2024. However, Russia has invaded Ukraine and launched cyberattacks against it, causing some U.N. participants to question whether Russia “could debate in good faith and defend claims of sovereignty in formulating cybercrime provisions” at the U.N. under such circumstances. Various countries, such as India, Egypt, and Canada, have submitted proposals for a new treaty; some of the proposals, as well as other aspects of the negotiations, have been criticized on the basis that they could hinder human rights or stifle cybersecurity research. Ultimately, “[i]t remains to be seen if governments will find a way to produce an instrument that bridges competing interests, or if a lack of consensus and trust will be too difficult to overcome.”

It is important to learn from the strengths and weaknesses of the current main international treaty on cybercrime—the Council of Europe’s Budapest Convention—so that a new U.N. cybercrime treaty can be optimally effective. This Essay argues that a new U.N. cybercrime treaty should build on the strengths of the Budapest Convention by including a clearer “extradite-or-prosecute” requirement for its signatories and by creating strong privacy requirements to counterbalance the risks created by any data-sharing provisions.

I. A Brief Primer on Ransomware Attacks

In a ransomware attack, hackers deprive users or institutions of access to their data in hopes of getting the victims to pay a ransom, often in bitcoin. Ransomware attacks often involve mounting phishing attacks, exploiting unpatched software, or cracking weak passwords, though they can sometimes involve zero-day attacks that exploit undiscovered vulnerabilities. In addition to causing disruption and panic, ransomware also has serious economic costs, especially when victims pay off attackers. In 2020, the FBI’s Internet Crime Complaint Center (IC3) identified over $29.1 million dollars in losses, though “[t]he reality is probably of a different magnitude.” One source estimated that, globally, nearly $350 million in cryptocurrency was paid to ransomware attackers in 2020, though again, this may be an undercount. Even when the victims pay up—reinforcing the attackers’ behavior—there is no guarantee that their access to data will be restored.

Recent ransomware attacks are truly the stuff of nightmares, especially when they target healthcare and other critical infrastructure industries. For instance, in December 2021, just as the first Omicron COVID-19 variant was on the rise, a ransomware attack hit Maryland’s Department of Health, making COVID-19 data unavailable. In May 2021, a ransomware attack on Ireland’s health system paralyzed it for a week. That particular attack is believed to have been the work of a Russian-speaking cybercrime group called Wizard Spider, which threatened to publish the stolen data unless officials paid nearly twenty million dollars. Ransomware attacks have also hit Scripps Health in California, the University of Vermont’s Medical Center, and multiple hospitals in New Zealand, forcing the New Zealand “clinicians to use pen and paper [ ] and postpon[e] nonelective surgeries.” Indeed, “cybercrime can endanger some of the most vulnerable populations—those who are sick or elderly—that rely on medical resources. The question isn’t if cybercriminals will attack public health targets, but when.” 

Ransomware attacks have also recently hit other key industries, such as the gas and meat industries. For instance, in 2021, a ransomware attack hit Colonial Pipeline, a major American supplier of gas, diesel, and jet fuel. It had to shut down its pipelines, prompting panic buying and fuel shortages. Similarly, after ransomware hackers temporarily disabled meat processing plants that process around twenty percent of the U.S. meat supply, the supplier, JBS, paid the cybercriminals roughly $11 million dollars. That attack has been attributed to a Russia-based group called REvil, short for “Ransomware Evil.”

While the Budapest Convention covers attacks like these, such attacks persist, as the Costa Rica example demonstrates. This suggests that there may be room to make the Budapest Convention or its successor more effective. Specifically, looking to other ways that international law has addressed more traditional forms of crime—for instance, via extradite-or-prosecute requirements—may help address the problem of cybercrime. While cybercrime is relatively novel, addressing it might not involve a novel solution, at least where international ransomware attacks are concerned.

II. The Budapest Convention on Cybercrime

The Council of Europe formulated the Budapest Convention with three main goals: (1) to harmonize domestic cybercrime law, (2) to provide for domestic criminal procedures sufficient to combat cybercrime, and (3) to create a “fast and effective regime of international co-operation” on cybercrime.

A. Harmonizing Domestic Cybercrime Law and Providing for Domestic Procedures to Combat Cybercrime

After its preamble and definitional section, Chapter II describes “[m]easures to be taken at the national level.” Such measures fall into two main categories: “[s]ubstantive criminal law” and “procedural law.” These categories generally map onto the Convention’s first two main goals: harmonizing domestic criminal law and ensuring that domestic criminal procedure is sufficient to combat cybercrime. For example, in the substantive criminal law section, Article 2 requires each party to establish domestic laws criminalizing intentional “access to the whole or any part of a computer system without right.”

Several Articles within Chapter II pertain to international ransomware attacks. Specifically, Article 4 requires signatory countries to prohibit “suppression of data without right,” and Article 5 requires signatory countries to prohibit “serious hindering without right of the functioning of a computer system,” for instance, by “suppressing” data. Ransomware attacks can involve any of these behaviors. While neither Article 4 nor Article 5 explicitly mentions ransomware attacks, they clearly require countries to criminalize such attacks, just as a “no pets” clause in a lease would clearly prohibit dogs.

Conferring individual international criminal liability for cybercrime, however, was not one of the main goals of the Budapest Convention. First, unlike Article 25 of the International Criminal Court’s Rome Statute, the text of the Budapest Convention does not explicitly provide for individual criminal liability. Second, throughout the Budapest Convention, it is the parties to the convention—the signatory countries—to whom the Convention’s obligations explicitly apply.1 Third, in the Council of Europe’s 2020 report on the effectiveness of the Budapest Convention, the Council lists six main benefits of acceding to the Convention, none of which involve prosecuting individuals. In short, rather than conferring individual international criminal liability for hacking, the Budapest Convention requires countries to take action relating to the criminalization and prosecution of hacking. Thus, a Budapest Convention violation occurs not when an individual hacks, but, for instance, when a country that promised to criminalize hacking fails to do so.

B. Creating International Cooperation to Combat Cybercrime

Chapter III focuses on “international co-operation,” which maps onto the Convention’s third main goal of creating a fast and effective cooperative regime. According to Article 23, this chapter establishes international cooperation “to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.” Two particular aspects of Chapter III merit further analysis here: the extradition provision and the data-sharing provisions.

1. Extradition.

Part of Article 24 provides a broad extradition provision that allows (but does not require) signatory countries that lack an extradition treaty with each other to use the Budapest Convention as the basis to extradite cybercrime perpetrators, so long as the crimes at issue are punishable by at least one year of imprisonment in both countries.

The extradition aspect of Chapter III may be particularly useful due to the difficulties that domestic courts have sometimes had in extraditing cyberattack perpetrators. For example, following the 2016 U.S. presidential election, the U.S. Department of Justice indicted twelve Russian nationals for hacking into the servers and e-mails of the Democratic National Committee. The individuals were employed by the GRU (Glavnoye Razvedyvatelnoye Upravlenie), the main Russian military intelligence agency, and they lived and worked in Russia. “Russia is not legally bound to extradite any of the 12 men who were indicted,” and indeed, it does not appear that such extradition ever occurred. This is not surprising, given that there is no extradition treaty between the United States and Russia and given that Russia has not signed onto the Budapest Convention.

2. Data-sharing provisions.

The Budapest Convention has raised eyebrows on the basis that its data-sharing provisions could bypass other treaties or compromise sensitive government information in cloud storage. Privacy concerns about the Budapest Convention and Second Additional Protocol may have merit, since some Chapter III and Second Additional Protocol provisions may create privacy or security risks for data that is in the hands of government actors. For example, Article 26, paragraph 1 of the Budapest Convention allows its state parties to forward investigative information to other parties when “it considers that the disclosure of such information might” help the other party investigate or prosecute crimes established by the Budapest Convention or might “lead to a request for co-operation by that Party under this chapter.”

Rather than flatly requiring that information received in this manner be kept confidential and used only in the investigation for which it is authorized, the Budapest Convention makes these confidentiality and use limitation measures contingent on a request from the sending party. In other words, Article 28, paragraph 2 allows (but does not require) sending parties to place confidentiality and use limitation conditions on the information being sent.

This problem is remedied somewhat in Article 14 of the Second Additional Protocol, which addresses the protection of personal data, but the Second Additional Protocol—which not all Budapest Convention parties have signed—still creates loopholes. Perhaps most notably, Article 14(1)(c) allows external agreements between parties to supersede many of the data protection rules in Article 14. In other words, the Second Additional Protocol merely sets a default rule for data protection that its parties can contract around. Even if parties choose not to contract around the Article 14 defaults, loopholes exist within Article 14 itself. For example, part of Article 14(2)(a) reads: “The Party that has received personal data shall process them for the purposes described in Article 2. It shall not further process the personal data for an incompatible purpose, and it shall not further process the data when this is not permitted under its domestic framework.” However, there may be alternate purposes that are not “incompatible” with the original purpose but still fall beyond the purpose for which the data was requested.

As international players consider the prospect of a new treaty, eagerness for law enforcement data-sharing should not cause them to discount the importance of privacy. After all, “[p]rivacy is how we seek to protect ourselves and society against arbitrary and unjustified use of power, by controlling what can be known about us and done to us . . . . It gives us space to be ourselves free of judgement, and [it] allows us to think freely without discrimination.” While collection of information by a domestic government may already constitute an invasion of privacy, the harms of this invasion can be magnified when the data is sent abroad, especially if the data is sent to a country with less robust privacy laws or norms.

C. The Budapest Convention: Resounding Success, or Paper Tiger?

Scholars debate how successful the Convention has been at achieving its goals. On the one hand, some authors praise the Convention, since it has recognized “that cyber threats often cannot be solved by individual countries acting alone” and has formed the basis for many other treaties and directives. At least one other scholar has argued that “[t]he Convention may play an important role in addressing [domestic extradition] issues without the need for renegotiation of individual treaties.” In contrast, other scholars are less convinced of the Convention’s success, or they qualify their praise. For example, they note that key countries like Russia and China have not signed it, many states that have ratified the Budapest Convention have failed to pass domestic legislation to implement it, and important terms and sections of the Convention are vague. It has also been criticized for obsolescence, with authors saying that it has “failed to evolve along with recent technological and social developments.” At least one scholar has blatantly called it weak.

In 2020, the Council of Europe assessed the Budapest Convention and concluded that the Convention has had a broad impact on domestic legislation, noting that 153 states have used it as a guideline. It also provided instances in which countries had leveraged the provisions of the Budapest Convention in prosecutions. Many countries cited the mutual assistance provisions as particularly useful.  Altogether, the evidence shows that the Budapest Convention has been reasonably successful in reaching its goal of creating an international cooperation regime on cybercrime, though international harmonization of criminal law and procedure for cybercrime remains somewhat elusive.2

III. Considerations for a New Treaty

Members of the U.N. should learn from the Council of Europe’s Budapest Convention and consider including, in a successor U.N. treaty, a strongly worded clause requiring every party to the treaty to prosecute or to extradite cybercrime perpetrators. This approach builds on the extradition strengths of the Budapest Convention and closes an important loophole, follows the lead of a variety of other treaties addressing serious international problems, and leverages domestic courts.

First, this approach builds on the strengths of the Budapest Convention while closing a loophole in an existing provision that approaches an extradite-or-prosecute requirement. As the example about the United States’s inability to force the extradition of Russian hackers demonstrates, extradition can sometimes be a stumbling block for the domestic prosecution of cybercrime. Chapter III of the Budapest Convention addresses this problem to a certain degree by allowing the Convention to operate as an extradition treaty among its members, provided that certain conditions are met. But a more robust provision requiring extradition or prosecution would turn the existing conditional extradition provision in the Budapest Convention into an unconditional legal duty.  

A new extradite-or-prosecute provision would be similar to Article 24, Paragraph 6 of the Budapest Convention, which approaches an extradite-or-prosecute requirement. The current prosecution obligation, however, only clearly applies if extradition is “refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offence.” In other words, under the current regime, if a country like France, which has adopted domestic laws that prohibit extraditing its nationals, signs the Budapest Convention and then refuses to extradite cybercrime perpetrators on the basis of their French nationality, the Convention would not require France to extradite them, but would require France to prosecute them. The same principle would apply if France deemed it had jurisdiction over the offense for other reasons: France would not need to extradite the hackers, but would then have to prosecute them.

This provision needs to be made stronger because countries could resist extradition or prosecution on a basis other than an argument from nationality or jurisdiction, creating a gap in cybercrime enforcement. To make the problem with this provision clearer, suppose that a hacker in Country A attacks a target in Country B, and both countries are parties to the Budapest Convention. Country B attempts to get Country A to extradite the hacker to Country B, but Country A refuses for some reason other than nationality or jurisdiction. For instance, suppose Country A and Country B have historically had a hostile relationship with each other, and Country A wants to frustrate Country B at every turn. In this scenario, Country A has no Budapest Convention obligation to prosecute the hacker, since the refusal to extradite was not made on the basis of nationality or jurisdiction, and Country B cannot successfully prosecute the hacker because the hacker will not have been extradited there.

Second, this approach is plausible because it follows in the footsteps of other treaties that address a variety of serious international problems.  For example, Article 7 of the Hague Hijacking Convention (formally known as the Convention for the Suppression of Unlawful Seizure of Aircraft) explains:

The Contracting State in the territory of which the alleged offender is found shall, if it does not extradite him, be obliged, without exception whatsoever and whether or not the offence was committed in its territory, to submit the case to its competent authorities for the purpose of prosecution. Those authorities shall take their decision in the same manner as in the case of any ordinary offence of a serious nature under the law of that State.

As the International Law Commission noted, the language in the Hijacking Convention “has served as a model for several subsequent conventions aimed at the suppression of specific offences, principally in the fight against terrorism, but also in many other areas (including torture, mercenarism, crimes against United Nations and associated personnel, transnational crime, corruption, and enforced disappearance).” For example, Article 8 of the 1979 International Convention against the Taking of Hostages uses very similar language.

Note that these extradite-or-prosecute requirements are more strongly stated and less conditional compared to Article 24, Paragraph 6 of the Budapest Convention: they do not, for instance, kick in only when a country refuses extradition or prosecution on a basis other than nationality or jurisdiction. In short, an unconditional extradite-or-prosecute requirement is a versatile hammer that has been used to hit the protruding nails of many international ills. Perhaps it could be used to address cybercrime, as well.

Third, this approach leverages the strengths of domestic courts without straining the limited resources of international courts. By contrast, an alternate approach to international cybercrime could be to specifically mention cyberattacks in the Rome Statute. This statute is enforced by the International Criminal Court (ICC), and it confers individual liability for certain serious international crimes, such as war crimes and crimes against humanity. However, as Judge Brichambaut noted in his October 2022 remarks at the University of Chicago Law School, the ICC has only eighteen judges and three courtrooms. Accordingly, while the ICC is, or could be, an effective forum for prosecuting the perpetrators of the world’s very worst international crimes, an approach to international cybercrime that focuses on domestic enforcement leverages the enforcement capacity of innumerable prosecutorial bodies and courts throughout the world rather than trying to expand the ICC. As it is, national criminal justice systems can address cybercrimes that, while often serious, are unlikely to rise to the level of the atrocities over which the ICC has jurisdiction.

One might wonder how this new treaty would curtail the behavior of nations like Russia, where ransomware perpetrators have a high likelihood of residing but that have a low likelihood of signing onto well-crafted international cybercrime treaties. Admittedly, my treaty-based solution might best be understood simply as a way to strengthen the international cybercrime framework among countries that are already reasonably cooperative on the international scene rather than as a tool to address cybercrimes stemming from less cooperative nations. However, perhaps this solution could still be applicable to the less cooperative nations once the provisions of this new treaty achieve the status of customary international law.

The extradite-or-prosecute requirement laid out in a new treaty could eventually achieve the status of customary international law that is binding on non-signatories. Consider that some aspects of cybercrime enforcement—and the extradite-or-prosecute principle—may already have achieved that status. Some scholars have, indeed, proposed that the Budapest Convention and other similar conventions “could serve as opinio juris that States have an obligation to enact and enforce cybercrime laws within their territories and to cooperate to prosecute and extradite cybercriminals.” The Budapest Convention may therefore reflect “a growing international consensus that the establishment of domestic cybercrime laws is an international obligation.” Moreover, a general duty to extradite or prosecute may also be based in customary international law. Although traditionally, “it was generally accepted that no duty to extradite or prosecute existed in customary law,” this perspective may be starting to change. As one scholar has explained, “[t]here is growing acceptance of a generalized customary law norm requiring custodial states to either extradite or prosecute major criminals,” and the concept dates back to the time of Grotius. Accordingly, the ground may have already been prepared for the seeds of cybercrime extradition or prosecution obligations to grow into the flowers of customary international law, should the U.N. choose to plant these seeds with the trowel of a new treaty.

Finally, as U.N. members consider a new cybercrime treaty to combat harms like Russian ransomware attacks, they will need to grapple with the fact that some of the aspects of the Budapest Convention that have probably been the most effective—the Chapter III data-sharing provisions—are also the aspects that are most concerning from a privacy perspective.  Specifically, if a new treaty doubles down on facilitating data-sharing among signatory nations, especially without counterbalancing this risk with strongly-stated and enforceable privacy requirements, this approach may facilitate cybercrime prosecution but unnecessarily sacrifice privacy rights.

Conclusion

International cyberattacks such as ransomware attacks pose serious threats that merit intervention via international law. The Budapest Convention on Cybercrime addresses these threats to a certain degree, though it binds states rather than individuals and may gain much of its utility through cooperation provisions that raise legitimate privacy concerns. One particular asset of the treaty, however, is its extradition section. Moving forward, when drafting a new cybercrime treaty to replace or supplement the Council of Europe’s Budapest Convention, the U.N. should require signatory nations to try or extradite perpetrators of cyberattacks. This approach follows in the footsteps of various conventions and builds on the extradition-related strengths of the Budapest Convention. Even nations like Russia that are unlikely to sign such a treaty may eventually be bound once the provisions of the treaty rise to the level of customary international law.

• 1For instance, Article 4—a key provision for ransomware, as it deals with data suppression—begins: “Each Party shall adopt such legislative and other measures as may be necessary.” Throughout the Budapest Convention, when obligations are invoked, a drumbeat of the words “each Party” and “a Party” persists throughout, with individual obligation scarce to nonexistent.
• 2See, e.g., Brendan Sullivan, A Tale of Two Treaties: A Maritime Model to Stop the Scourge of Cybercrime, 39 Bos. Univ. Int’l L.J. 143, 175 (2021) (“Cybercrime experts complain that transglobal cybercrime is not being effectively prosecuted because cybercrime laws are not in harmony, even for countries that adopted the Budapest Convention.”).