As cyber attacks increasingly target critical infrastructure, it’s causing real world deaths. Here’s what attorneys say about prosecuting the attackers for murder…
Cybercrime is growing every year. And so are the stakes.
The stakes are now a lot higher than messed up websites or stolen documents. Cyber attacks increasingly have devastating real-world impacts – people are dying as a direct or indirect result of cyber attacks.
Could cyber attackers be prosecuted for manslaughter or murder when their attacks result in real-world deaths?
Let’s hash it out.
How Cybercrime Is Causing Life-Threatening Problems at Hospitals
What If There’s No Hospital to Go To?
For most of us, we take it for granted that there’s a hospital near us we can go to if a medical emergency strikes. Whether it’s a broken bone, heart attack symptoms, or something else, we know we can get treatment to avoid more serious consequences (in most cases).
But what if your local hospital was shut down because a ransomware attack disabled their computers and equipment? That’s exactly what happened recently in Wyoming. As PBS explains:
Campbell County Health reported a systemwide crippling of their computers that affected its flagship hospital and nearly 20 clinics located in the city of Gillette. For eight hours, the hospital’s emergency department was forced to transfer patients even though the next nearest hospital was located 70 miles away. The health care system stopped admitting new patients, labs were shuttered and some surgeries were postponed. It took 17 days to restore normal order.
Redirecting patients to the next nearest hospital sounds routine, but when you have to travel 70 additional miles to get to the hospital, that’s a pretty big deal. Studies have found that delaying treatment for serious conditions such as heart attacks and strokes by more than an hour significantly reduces the patients’ chances of survival.
WannaCry Cancels Surgeries and Appointments Across the U.K.’s National Health Service
We’ve previously covered the devastating WannaCry ransomware attack. In 2017, the U.K. Comptroller and Auditor General released a report analyzing the impact of the WannaCry attack on the NHS. The report (among other findings) noted that the attack:
- caused “disruption in at least 34%” of the NHS trusts (organizational units) in England
- resulted in approximately 19,000 appointments that were canceled, and
- caused patients in five areas to “travel further to accident and emergency departments.”
Keeping in mind that minutes count when it come to getting treatment for serious conditions and accidents, it’s not far-fetched to guess that these healthcare disruptions may have led to avoidable fatalities. (Unfortunately, we’re only able to guess about this. NHS says: “As data were not collected during the incident, neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients.”)
Vanderbilt Study Finds Cyber Attacks Increase Heart Attack Fatality Rate
A recent study by Vanderbilt looked at how heart attack victims fared at hospitals impacted by a data breach vs. hospitals who hadn’t been impacted by a data breach. The researchers analyzed data from a total of 3,025 different hospitals across the US. This study looked more at long term impacts rather than immediate and direct impacts from the attack. But the results are pretty interesting:
Hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 per-centage points during the three-year window following a breach.
In other words, in addition to direct problems caused while the attack is ongoing, there are lasting impacts that cause increased fatality rates for 3 years after the attack.
This Isn’t Just a Healthcare Issue, Either…
Hospitals and emergency clinics aren’t the targets where cyber attacks are putting lives on the line. Attacks on other critical infrastructure could lead to real-world deaths from cyber attacks, too. For example:
- A hacker taking control of an electric car could crash it (intentionally or by accident).
- A cyber attack shutting down or manipulating an air traffic control office could cause a plane to crash.
- A cyber attack against traffic lights and/or control systems could cause accidents across the city.
- A ransomware attack against a power plant could result in power losses at critical locations such as hospitals, nursing homes, etc.
- A cyber attack could be used to help enable a prison escape, resulting in subsequent crimes.
If Cyber Attacks Cause Deaths, Can We Charge the Attackers with Manslaughter? Here’s What Attorneys Say…
I like to flatter myself that I’m pretty good at finding the answer to just about any question on Google. But when it comes to legal advice, it’s better to bring in the experts. So, I asked four attorneys with expertise in criminal law and/or cybercrime to share their insights on this topic. Here are the four legal professionals who contributed their expertise for your reading pleasure.
- Ryan Blanch, a criminal defense attorney specializing in “white collar criminal cases” in NY.
- Joseph Hoelscher, a criminal defense attorney with cybersecurity experience in Texas
- Melissa Hamilton, formerly a US police officer and law professor, now a law professor at the University of Surrey in England
- David Reischer, attorney & CEO of LegalAdvice.com
And here’s what they had to say:
Yes, Cybercriminals Can Be Charged with Manslaughter
Manslaughter is an unlawful killing that doesn’t involve malice aforethought to seriously harm or kill a person. It is an extreme, reckless disregard for human life. An unintentional death, even as a consequence from a cyber-crime, could potentially be prosecuted for manslaughter if there is reckless conduct that causes the death of a person.David Reischer, Attorney
Manslaughter is typically a state level offense defined as causing death through recklessness. So, manslaughter certainly fits, even if the deaths caused by a particular cybercrime were an accident.Joseph Hoelscher, Criminal Defense Attorney
Current Laws Are Strong, But They May Need to Be Tweaked for Cyber Crimes
In my opinion, our laws are adequate for larger scale attacks or those causing deaths. Updates to cybercrime laws are needed by some states for lower level crimes like online harassment. However, our ability to identify cybercriminals is sorely lacking. Updating the US Sentencing Guidelines or State penalties for large attacks to force harsher punishment could be appropriate. But, really, there’s lots of ways to convict and punish someone who causes a death or even a serious injury. If a judge or jury believes that the manner or means of use of a computer supported its designation as a deadly weapon in a particular case, then even an injury could bring up to 20 years in a Texas prison, for example. Our problem in prosecuting cybercrimes isn’t our law but our capabilities.Joseph Hoelscher, Criminal Defense Attorney
There may be the need to update criminal statutes that specifically address the issue of an unintentional death as a result of a cyber-crime. At present, a conviction of a person for manslaughter that is a result from a cyber-crime may be compromised due to the prosecution’s inability to prove the conduct was in fact reckless. A statute that strictly imposes liability for a death that results from a cyber-crime would mitigate the need for a court to determine that such conduct was in fact reckless.David Reischer, Attorney
In Some Areas, Murder or Felony Murder Is Possible
In states with the felony murder rule, this could be a potential charge, and often one that has a greater penalty than manslaughter. Indeed, in a few states, felony murder can justify the death penalty.Dr. Melissa Hamilton, Professor of Law
Felony murder (though it can vary slightly by state) means the person is guilty of murder if a death results from their commission of a felony. Generally, felony murder applies even if the death occurs not at the hands of the defendant. Examples in real cases here have included when a victim was shot by responding police, killed by an accomplice, or died of a heart attack out of fear of the defendant’s violent felony.
I think higher offenses such as felony murder or even capital murder, could fit the bill. Felony murder occurs when, in the commission of a felony, a defendant caused a death, by accident or mistake, in furtherance of the offense. The classic example is a bank robber who doesn’t mean to kill anybody but accidentally shoots and kills a customer. Most cybercrimes are felonies so if a death results, then I think felony murder is potentially appropriate.Joseph Hoelscher, Criminal Defense Attorney
Cybercrimes are typically prosecuted federally and that’s a slightly different analysis. That said, if the feds had a cybercrime case where they thought the locals could bring stronger punishment, they might defer to the State.
Under current US law if it’s abundantly foreseeable that a cyberattack might result in death (such as where the victim is a hospital or ER) the cyber attacker could be charged with murder. Murder requires intent to bring about death. However “intent” can be fulfilled with “willful blindness” or “reckless disregard.” Attacks on an air traffic control tower resulting in death would be a case where the attacker could be charged with homicide.Ryan Blanch, Criminal Defense Attorney
Prosecutors Have Several Options to Link the Cyber Attack to the Death
US criminal law in terms of a homicide crime is a but-for test. This means, but for the defendant’s action, would the result (i.e., death) have occurred? Even if other causes are present, if the death would not have happened without, here the defendant’s cybercrime, then the person is guilty of some form of homicide. The type of homicide in that instance depends on the defendant’s mens rea, which means guilty mind. The level of homicide crime could be, for instance, intentional, knowing, reckless, or negligent.Dr. Melissa Hamilton, Professor of Law
A Homicide charge would require proof that a specific life was taken as a direct result of a malware attack. [The cyber attacker] would have to not only (A) intend to cause the death (satisfied by being ‘willfully blind’ to the near certainty that taking down the entire computer system of an ER facility would put human life at a substantial risk) but B) the resultant death would need to have been caused by the malware attack. So it can’t be a removed correlative statistic showing that a rise in malware attacks on medical facilities coincides with a commensurate rise in mortality rates.
However, there is another doctrine called “felony murder” that many states observe. That says that if death is the result of a felony then the person committing the felony is guilty of murder. This is the case even where murder was never intended by perpetrator of the felony. The classic example is where a bank robbery causes a police officer to inadvertently shoot a by stander at the bank in an attempt to shoot the bank robber. Although the bank robber was not even armed, he may be charged with homicide under the felony murder rule.
It would also be enough if they could show that the malware attack was a significant intervening cause in the persons death even if the person would’ve died sometime later anyway. The classic textbook example is where someone who is shot is bleeding out slowly and is is then shot in the head by someone else to put them out of their misery.Ryan Blanch, Criminal Defense Attorney
Cybercriminals from Other Countries Can Be Extradited, But In Some Cases It’s Political
Even though extradition treaties vary between countries there is the ability to extradite a criminal that caused serious criminal harm such as manslaughter as a result of a cyber-crime.David Reischer, Attorney
Extradition laws are not as uniform as law enforcement would like, but the means of killing doesn’t change eligibility for extradition.Joseph Hoelscher, Criminal Defense Attorney
The problem [with extradition], of course, is that some counties won’t extradite, including those originating our primary cybersecurity threats – China, Russia, Iran, North Korea. Extradition from those counties is a political, not legal, process.
This Is Mostly Theoretical (So Far)
As far as I know, there haven’t been any cyber attacks that resulted in manslaughter or murder charges. That may be due in part to the fact that researchers are just starting to understand the links between cyber attacks and real world deaths.
There’s no need to panic – cybercrimes aren’t exactly a leading cause of death. But I think it’s a very interesting question to ponder – how will our legal and political systems respond as cyber attacks have an increasingly real-world impact?
This concern also highlights the need for cybersecurity education. Making sure people are aware of the real-world impacts and consequences of cyber crime might discourage a young person from dabbling in illegal hacking. They need to realize that cybercrime is a much bigger deal than mischievous acts like spraying their lover’s name on an overpass. There are many reasons why people hack, but some people may choose not to if they realize what’s at stake. In some cases, lives are at stake.