chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2021-2022 | Volume 77, Issue 1

The “New Abnormal”—The Emergence of Persistently Insecure Digital Systems

Roland Leslie Trope

Summary

  • Explanation of "High-Impact, Low-Frequency" cyber incidents;
  • SolarWinds - Created Persistently Insecure Systems;
  • Insurance coverage in ransomware attack on critical infrastructure;
  • SCOTUS decision in Van Buren v. United States concerning Computer Fraud and Abuse Act.
The “New Abnormal”—The Emergence of Persistently Insecure Digital Systems
iStock.com/Dashabelozerova

Jump to:

I. Introduction

Grid operators and owners have long recognized the need to secure digital communications and operations against “high-impact, low-frequency” (“HILF”) event risks. As explained in a 2009 report prepared by the North American Electric Reliability Corporation (“NERC”) and the U.S. Department of Energy, HILF event risks

have the potential to cause catastrophic impacts on the electric power system, but either rarely occur, or, in some cases, have never occurred. Examples of HILF risks include coordinated cyber . . . attacks, . . . and major natural disasters like earthquakes, tsunamis, large hurricanes, pandemics, and geomagnetic disturbances caused by solar weather.

Even so, critical infrastructure enterprises and their legal counsel may be challenged when a single HILF event occurs, especially if the infrequency and randomness of HILF event occurrence have lulled contingency planners into excluding HILF events from “worst-case” scenario planning.

Compared to customary “worst-case” scenarios, HILF events and their disruptive effects expand exponentially, often without awareness by enterprise officers, directors, and counsel until it’s too late for them to make orderly adjustments in contingency plans and to keep the enterprise from succumbing. HILF events may emerge with little or no warning (e.g., earthquakes, tsunamis), or with warning signs that go unnoticed or denied until it’s too late to contain the exponential growth of the HILF event’s disruptive effects. English mathematician Hannah Fry describes the belated detection and response challenges when the HILF event is a pandemic that spreads exponentially:

“The thing you have to understand about exponential growth is that it feels like nothing is happening for ages and then it’s like an unstoppable truck that’s just slamming into a wall” . . . .

Her favorite example is of an imaginary lily pad on a pond doubling its area every day. It starts growing in one minuscule corner and covers the whole surface of the pond after a month. By day 20, the lily pad is still almost invisible. By day 28, it covers a quarter of the pond, by day 29 it covers half, and by day 30 it covers it all.

During the survey year, multiple overlapping HILF events revealed deficiencies in cybersecurity and contingency planning. The HILF events we experienced included:

  • the global COVID-19 pandemic;
  • a succession of ransomware attacks on critical infrastructure (e.g., Colonial Pipeline, JBS USA Holdings, Inc.); and,
  • a massive series of state-sponsored advanced persistent threat (“APT”) attacks on major tech companies (e.g., SolarWinds, Microsoft).

Each APT was discovered months after initial intrusion, each with an indeterminate scope, and each requiring such extensive remediation that it may take years to rebuild the networks from scratch. Even then, we may discover the new components to be already compromised by malware. The net effect has been a paradigm shift from low- to high-impact disruptions. Low-impact disruptions (e.g., from thunderstorms or computer theft) tend to be relatively short (days, weeks). High-impact disruptions often persist for a long and uncertain period (many months or years). There has also been a paradigm shift from moderate to catastrophic disruptions with a demonstrable loss of enterprise resilience. Enterprises usually recover quickly and completely from low-impact disruptions. Enterprises often fail to fully recover from high-impact disruptions, and if they do, recovery tends to be slow and to require substantial reconstruction or replacement of equipment and systems. Many enterprises might find the recovery effort infeasible, or the disruptions so harmful they succumb to them.

The HILF events and the paradigm shifts they ushered in have rendered obsolete the concept of “new normal.” The concept of a “new normal” after a disruptive incident reassuringly presumes there will be a complete post-event recovery, a prompt restoration of pre-event levels of services and operations, of the reliability, trustworthiness, and resilience of digital systems, and of the operations, augmented by artificial intelligence (“AI”), that rely upon such systems. That does not appear to be the prospect for enterprises in the wake of the 2020–21 HILF events and the shock waves of society-wide or jurisdiction-wide HILF event disruptions. The enterprises that survived did so by adapting, often by permitting or requiring personnel to work remotely. But whether caused by the pandemic, ransomware, or an APT attack, enterprises adapted by directing or authorizing personnel to work remotely and thus in locations not protected by the enterprise’s security safeguards. Companies lost visibility over use of laptops by personnel. Personnel used work laptops increasingly for personal tasks and personal laptops for work tasks, all of which diminished security. As a result, “the perimeter has shifted from the network to the endpoint.” As explained in an HP-prepared report:

Within a matter of weeks in early 2020, WfH [work from home] went from an occasional employee convenience to being the only way many organizations could continue to function. The scale of this change was extraordinary. A YouGov survey of global office workers commissioned for this report by HP . . . shows that 82% worked from home more since the start of the pandemic. . . . However, the danger is that organizations embrace WfH without assessing how this environment amplifies existing security threats. The volume of corporate data being accessed from home has risen substantially, . . . putting more information at risk. All the while, the number of endpoints—personal and employer provisioned—being used to access the corporate network from beyond the traditional network perimeter has exploded. . . . Often, endpoint devices such as laptops . . . and printers are left exposed, raising the chance that security incidents become invisible until damage is done.

As the HP commissioned study demonstrates, most enterprises decided that in order to stabilize operations and survive they would leave their digital systems and networks unsecured and leave their sensitive data without many safeguards the enterprises had relied upon prior to the pandemic.

As enterprises adapted and re-adapted to HILF events, their cybersecurity environment increasingly turned into a “new abnormal.” The cyber profile of many enterprises increasingly degraded into a condition of unreliable, insecure, and compromised cyber systems. Many enterprises going forward would be well-advised to presume that their cyber systems are persistently insecure and that their tech experts have not found all intruders or all malware the intruders may have secreted in digital systems. Henceforth, sensitive data may need to be kept off computer networks, servers, and digital storage media to prevent the APT attackers from subsequently accessing it to exfiltrate, destroy, or maliciously modify it. The possibility of that precarious status quo, and of the re-occurrence of HILF events prolonging or aggravating the “new abnormal” (including current APTs that may yet be detected), merits consideration. To facilitate that consideration, this essay will discuss:

  • in Part II, the most significant known APTs during 2020–21;
  • in Part III, an Indiana Supreme Court decision on whether payment of ransomware comes within insurance coverage for “use of any computer to fraudulently cause a transfer” of property or funds;
  • in Part IV, a U.S. Supreme Court decision on whether an individual who accesses a computer and certain directories and files—with authorization—and then misuses the accessed data in violation of a workplace rule or website term of use, thereby violates the Computer Fraud and Abuse Act (“CFAA”); and,
  • in Part V, possible lessons for enterprises whose viability depends on cybersecurity and resiliency to HILF events.

II. SolarWinds Incident—Creation of Persistently Insecure, Digital-Based Systems

In mid-December 2020, software firm SolarWinds disclosed that its information technology platform, Orion, had been hacked an indefinite number of months earlier. Malicious actors (reportedly of Russian intelligence service SVR) had carried out a sophisticated, stealthy intrusion and remained undetected in targeted systems and networks for at least nine months. The intrusion included malware planted “in a routine software upgrade” of SolarWinds’ Orion program, which “keeps a watchful eye on all the various components in a company’s network,” and affected customers located within SolarWinds’ supply chain.

On December 13, 2020, the Department of Homeland Security Computer Readiness Team issued Emergency Directive 21-01 (“ED 21-01”). ED 21-01 appears to have been premised on several features of the incident: first, the unusual scope and severity of the attack (“over 17,000 organizations downloaded the infected back door”); second, the lengthy period during which it continued without detection; and third, a determination that the incident created “persistence in the [computer network] environment” with the result that it appears uncertain whether it will be possible to eradicate the malicious actors and the malware they secreted in targeted systems. ED 21-01 cautioned: “SolarWinds Orion products . . . are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices . . . is the only known mitigation measure currently available.” Estimates (made in March 2021) predicted that agencies, attempting to rebuild their networks from scratch, may need “in the neighborhood of 12 to 18 months.”

Law firms whose clients included any of the affected enterprises might still be at risk through digital communications with such clients. The electronic filing system that federal courts use was compromised. In the immediate aftermath, some security experts viewed the attack as “an inflection point” and believe it should be recognized as reflecting certain paradigm shifts, including:

  • The attack methods show that the intruders understood in detail the step-by-step procedures that software companies use internally to initiate, build, test, and release updates; this fact will (or should) “change the way that large enterprises think about the software they install and think about how they handle updates.”
  • And worse, enterprises now need to ask “What if the hackers planted the seeds of future attacks during that nine months they explored SolarWinds’ customer networks—did they hide code for backdoors that will allow them to come and go as they please at a time of their choosing? . . . Will we find out later that the SolarWinds hack set the stage for something more sinister? . . . [N]ations are targeting [the] private sector . . . .”

In early March 2021, Microsoft disclosed that certain users of its email and calendar program Exchange and the program’s operational server had experienced a highly sophisticated cyberattack, reportedly executed by a malicious actor, known as Hafnium, that is located in the People’s Republic of China, but that “conducts its operations primarily from leased virtual private servers (VPS) in the United States.” Microsoft explained that Hafnium has historically selected U.S. entities as its main targets, with the aim of exfiltrating data from enterprises in several industry sectors, including law firms. The victims of the hack reportedly extended to upwards of 30,000 Microsoft customers, including federal agencies and private enterprises (particularly small and medium size businesses).

The Hafnium attack started in January 2021, escalated in late February, and continued into March 2021. In response, Microsoft released multiple security updates or “patches.” When Microsoft observed that multiple bad actors continued to take advantage of unpatched systems “to attack organizations with on-premises Exchange Server,” Microsoft endeavored to aid defenders in investigating the attacks by releasing a set of “observed indicators of compromise” in the form of “malware hashes and known malicious file paths”; a week later, Microsoft released a “new one-click mitigation tool . . . to help customers who do not have dedicated security or IT teams to apply security updates for Microsoft Exchange Server.”

However, due in part to limitations in technical expertise at many commercial victims, hundreds of servers remained vulnerable. In response, the Federal Bureau of Investigation (“FBI”) sought and obtained judicial authorization to enter electronically many of the victims’ computer networks, search for and locate the “web shells” lodged there by Hafnium, and execute code that would cause those shells to issue a command to the company’s server that they be deleted. As the FBI explained to the District Court:

most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own.

In short, without the knowledge of the affected enterprises, the FBI obtained a search warrant from a U.S. District Court “to seize and copy from Microsoft Exchange Servers located in the United States the web shells identified in [an attachment], and to delete the web shells from those servers.”

The FBI’s novel and extraordinary action did not provide complete remediation for affected enterprises. Removal of the web shells did not identify or remove any other malware that Hafnium may have secreted in each targeted enterprise’s servers and networks. Moreover, whatever vulnerabilities Hafnium may have exploited, it’s possible that the array of Microsoft’s security patches (over twenty-five of which Microsoft released in March and early April 2021) might not have addressed all the Exchange Server zero-day vulnerabilities known to the Hafnium intruders. It’s possible that the same or different intruders could “plant another web shell” and resume the intrusion, exfiltrate information, or modify key operational data to cause kinetic damage.

III. G&G Oil Co. of Indiana, Inc. v. Continental Western Insurance Co.

When advising clients on responses to a ransomware attack, there are multiple uncertainties. They include:

  • Can we restore access to systems and data needed for resumption of at least degraded operations? (Possibly, but the prolonged disruption of Colonial Pipeline and other critical infrastructure targets of ransomware suggests many enterprises have not prepared sufficiently for that contingency.)
  • Can we negotiate a reduction in the demanded payment? (Possibly. If the target is a hospital the attackers may be willing to consider reductions or even to “decrypt for free,” as one ransomware group, DoppelPaymer, says it will do, but the FBI “advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior.”)
  • Can we lawfully pay the intruders? (Possibly not, if there’s reason to believe the payment, without a license from the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) will violate any of the U.S. economic sanctions regulations.)
  • Can counsel’s firm ethically pay or advise on making such payment to a criminal? (Possibly, but it is peculiar that despite the multitude of ransomware attacks, no bar association in the United States has issued an ethics opinion that addresses that issue; apparently the sole ethics opinion to date comes from the Queensland Law Society, which addressed the issue of whether a law firm may ethically pay a ransom to recover access to client data in the firm’s computers:

    On balance, the clear obligation to protect client interests tends to outweigh the general public policy objection to paying criminals. Payment of the ransom is therefore an option available to the firm once all of the competing alternatives have been considered. . . . If lawful, we are entitled to make the decision based on what we think will lead to the best outcome for the client and our firm . . . .

    As an aside, if the attackers have had access to compromised systems there is a clear ethical duty to warn clients that this has occurred. So “pay up and keep quiet” is only possible where there is no way the intruders could have client data.

  • If we pay, will the intruders release the encryption passwords or keys and restore our access to our data? (Possibly, but they may demand additional amounts; and that risk raises an equally salient question: did intruders exploit their access to modify critical data randomly, rendering the data unreliable and potentially hazardous if utilized?)

For any enterprise considering making a payment to hackers, a key question may be whether the insurer will view the payment and the costs imposed by the disruption of operations as covered by the terms of the issued policy. The Supreme Court of Indiana, in a case of first impression, answered that question under Indiana law in G&G Oil Co. of Indiana v. Continental Western Insurance Company.

In November 2017, hackers executed a ransomware attack on G&G Oil Co. of Indiana (“G&G”). Unable to access its servers and most workstations, G&G paid the demanded bitcoin ransom. But the hackers refused to restore G&G’s control over its servers and demanded an additional payment. G&G ultimately paid the additional ransom (for a total of $34,477.50) (“Ransom Payment”); the hackers sent passwords enabling G&G to decrypt and regain access to its servers.

G&G submitted a claim to Continental Western Insurance Company, the issuer of its multi-peril commercial policy. G&G relied on the policy’s Computer Fraud clause (“Computer Fraud Clause”), which read:

We will pay for loss of or damages to “money” . . . and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” . . . .

a.  To a person . . . outside those “premises”; or

b. To a place outside those “premises.”

Continental denied G&G’s claim on two grounds. First, G&G had not purchased an optional Computer Virus and Hacking Coverage (“Hacking Coverage”). Second, Continental viewed the Ransom Payment as a loss that did not result directly from the “use of a computer to fraudulently cause a transfer of G&G’s funds.”

G&G filed a complaint seeking a judgment to require Continental to indemnify G&G for the Ransom Payment loss. The trial court granted Continental’s cross-motion for summary judgment. G&G appealed. The Court of Appeals of Indiana affirmed, adopting Continental’s argument that the hacker did not commit an act that qualified as “fraud.” With no “fraud” committed, the Court of Appeals reasoned that the hacker’s actions did not come within the Hacking Coverage for use of a computer to “fraudulently cause” a transfer of money, nor to “fraudulently cause” G&G to “purchase Bitcoin to pay as ransom.” The Court of Appeals seemingly viewed the hacker as an honest thief; although illegal, “there was no deception involved” in the hacker’s ransom demand. No deception, no fraud, no coverage by the Computer Fraud Clause for loss caused by “use of any computer to fraudulently cause a transfer” of money.

G&G appealed to the Supreme Court of Indiana, which reversed. The Supreme Court of Indiana found persuasive the Seventh Circuit’s definition of “fraud” (albeit in the context of bankruptcy): “it includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.” With that as a guide, the Supreme Court of Indiana construed the term “fraudulently cause a transfer” to mean “simply ‘to obtain by trick.’”

Applying that criterion, the court found neither party had demonstrated entitlement to summary judgment. G&G’s evidence fell short, because not every ransomware attack is perforce fraudulent. An enterprise’s cybersecurity becomes a gauge of whether a hacker needed to resort to a “trick.” As the court explained, “if no safeguards were put in place [by G&G], it is possible a hacker could enter a company’s servers unhindered and hold them hostage. There would be no trick there.” Continental’s evidence fell short for the same reason. The court found it unclear whether the hacker gained access to G&G’s computer systems by “trick.”

The court then addressed whether the Ransom Payment loss was one “resulting directly from the use of a computer” as required by the Policy’s Computer Fraud Clause. Continental argued that G&G’s “voluntary transfer of Bitcoin was an intervening cause that severed the causal chain of events” and thereby disconnected the Ransom Payment loss from a direct use of a computer. The court disagreed, finding that G&G’s Ransom Payment was only “voluntary” in the sense that G&G acted consciously. But the court sagaciously reasoned that “the payment more closely resembled one made under duress,” and therefore it was “not so remote that it broke the causal chain” required for G&G’s losses to have “resulted directly from the use of a computer.”

IV. Van Buren v. United States

Georgia police sergeant Van Buren asked acquaintance Albo for a personal loan. Albo secretly recorded the request and shared it with a sheriff ’s office, alleging Van Buren tried to “shake him down” for cash. The FBI received the recorded conversation and set up a “sting” operation: Albo would offer Van Buren about $5,000 to search the state law enforcement computer database for a license plate “purportedly belonging to a woman whom Albo had met at a local strip club.” Van Buren agreed. Operating his patrol-car computer, he used credentials that gave him authorized access to the law enforcement database of license plate data records. Van Buren searched the database, found the requested license-plate entry (unaware the FBI had created it), and told Albo he could disclose it to him. Van Buren’s use of the data violated his police department’s prohibition on use of police computers for personal purposes.

The federal government indicted Van Buren under the CFAA, alleging he accessed a computer while “exceed[ing] authorized access.” A jury convicted Van Buren and the Eleventh Circuit affirmed. The U.S. Supreme Court granted certiorari to resolve the split among the circuit courts in interpreting the scope of liability under the CFAA’s “exceeds authorized access” clause.

Government and defendant agreed that defendant had authorization to access the subject computer when he “used his patrol-car computer and valid credentials to log into the law enforcement database.” They disputed whether defendant was “entitled so to obtain” the license-plate record—if not, defendant violated the CFAA. Justice Barrett, writing the opinion of the Court (for a 6 to 3 majority), framed the issue as one of statutory construction: what did “so” mean in the context of that CFAA prohibition against exceeding “authorized access,” which the CFAA defines as occurring when anyone accesses “a computer with authorization and . . . use[s] such access to obtain . . . information in the computer that the accesser is not entitled so to obtain.”

Defendant argued that the disputed phrase “is not entitled so to obtain” means that if a person is authorized to access information in a computer, there is no violation of the CFAA even if he accesses or uses that information for an unauthorized purpose. The government argued that the CFAA is violated if a person is authorized to access the information but does so for an unauthorized purpose.

The Court agreed with the defendant. Explaining her conclusion, Justice Barrett offered a cogent spatial metaphor that referred to “access” and “authorization” as resembling a portcullis or gate “up-or-down.” Justice Barrett reasoned that defendant’s interpretation, unlike the government’s, treated the “without authorization” and “exceeds authorized access” clauses consistently:

Under Van Buren’s reading, liability under both clauses stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system. And reading both clauses to adopt a gates-up-or-down approach aligns with the computer-context understanding of access as entry.

By contrast, the government’s reading would create an illimitable risk of criminalizing “every violation of a computer-use policy,” turning “millions of otherwise law-abiding citizens” into criminals.

The Court concluded that defendant “did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” The Court reversed the judgment of the Eleventh Circuit and remanded the case for further proceedings consistent with its opinion.

V. Conclusion—Pragmatic Lessons

When a HILF cyber event like SolarWinds occurs, the breached enterprises might never be able to determine with certitude whether the intruders have been expelled, their secreted malware contained, disabled, or eradicated, whether all adverse effects are over, or even whether the scope of the attack and damage have been ascertained. Henceforth, counsel and clients may need to assume the persistent presence of malware and even the continued presence of cyber actors in the enterprise until it can be verified reliably that intruders and malware have indeed been eradicated. But at this time, the possibility of verification that “all’s clear” in a digital system remains uncertain.

In light of the emergence of HILF events, counsel might see if it can coax a client to “stress test” and reevaluate its cyber security safeguards. This may require reevaluation of steps the enterprise has taken that facilitate remote work during the pandemic, but that may have sacrificed data safeguards.

The G&G Oil decision suggests that an insured enterprise may be disqualified from recovering on a claim for losses resulting from a ransom payment or disruption of its operations if a court determines that the intruders gained access, not with a “trick,” but through a security lapse or other security deficiency.

After Van Buren, enterprises can no longer rely on invoking the criminal prosecution under the CFAA to deter personnel from violating workplace policies on use of company data. If personnel have authority to access the computer, directory, and files containing the data, preventing insider threats and misuse of the data remains an enterprise responsibility.

Enterprise security is often designed to ask good people to do good things and relies on them to do it. Unfortunately, such security proves no match for when good people err, are tricked by a clever social engineering ploy, or when they sour and enlist their ingenuity to do bad things with sensitive data. We might do better to limit our trust to where the consequences of misplaced trust are trivial. But what are we do to about systems where misplaced trust would cause catastrophic disruptions and where experience of recent HILF events teaches us that such systems remain persistently insecure?

Disclaimer: The views expressed herein are solely Mr. Trope’s, and should not be attributed to the U.S. Military Academy, Department of the Army, Department of Defense, or the U.S. Government. Mr. Trope can be contacted at: [email protected].

    Authors