Briefing on “Threats Posed by Ransomware Attacks against Hospitals and Other Healthcare Facilities and Services”
Tomorrow morning (8 November), the Security Council will convene for a briefing on “threats posed by ransomware attacks against hospitals and other healthcare facilities and services”. The meeting, which will be held under the “Threats to international peace and security” agenda item, was requested by the US, with support from France, Japan, Malta, the Republic of Korea (ROK), and the UK. Briefings are expected from World Health Organization (WHO) Director-General Tedros Adhanom Ghebreyesus and a representative of Ascension, a faith-based private healthcare organisation in the US.
Background
Ransomware is a type of malicious software, or malware, that infects digital systems and blocks users from accessing data and applications by encrypting key information. To regain access, victims are extorted for a fee, or ransom, typically demanded in cryptocurrency, making it more challenging for law enforcement to trace the payments.
Ransomware attacks have surged in recent years, fuelled in part by the rise of Ransomware-as-a-Service (RaaS), which enables hackers to offer ready-made ransomware kits at low costs, reducing entry barriers for individuals less experienced in cybercrime. The integration of artificial intelligence (AI) into these operations has further amplified the threat. As a result, ransomware attacks have become more frequent and destructive, with estimated payments reaching $1.1 billion in 2023.
In recent years, the Security Council has been more active in addressing cyber threats to international peace and security. Besides discussions within its subsidiary bodies, Council members have addressed cybersecurity threats in both formal and informal settings, such as Arria-formula meetings. These discussions have encompassed a broad range of topics, from cyberattacks targeting critical infrastructure to efforts aimed at countering hate speech on social media. Most recently, on 20 June, the ROK convened a high-level open debate on cybersecurity as a signature event of its June Council presidency. (For more information, see our 19 June What’s in Blue story.)
Although the Council has increased its engagement on cybersecurity, discussions on this matter have primarily taken place in two General Assembly-mandated processes: the Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security and the Open-ended Working Group (OEWG) on security of and in the use of information and communications technologies (ICTs). Since 2004, there have been six GGEs and two OEWGs. The GGEs have established a set of 11 norms of responsible state behaviour in cyberspace, including a commitment by states to refrain from conducting or knowingly supporting ICT activities contrary to their obligations under international law such as those that intentionally damage critical infrastructure.
The OEWG’s latest annual progress report, published on 22 July, emphasised growing concerns among member states about the rise of ransomware attacks, noting that the increase has been partly enabled by the availability of RaaS. States expressed alarm over the increasing frequency, scale, and severity of ransomware attacks, noting that they may have an impact on international peace and security. According to the report, states have underscored the need for a comprehensive approach to addressing ransomware threats, including by “pursuing ransomware actors, targeting the malicious software they use and its dissemination, and countering the illicit finance that supports their activities”. States have also raised concern about the increase in cryptocurrency theft and financing of malicious ICT activity using cryptocurrency, which could potentially impact international security. In its written submission to the OEWG on 11 July, Russia said that it was “unacceptable” to include “issues of peace and security in the context of the topic of combating ransomware” in the report.
Tomorrow’s Meeting
According to a non-paper prepared by the US, tomorrow’s meeting aims to serve as an opportunity to “deepen the Security Council’s understanding of the way critical infrastructure and services to the public, when connected online, can be exploited to cause harm, extort victims, destabilize societies, and pose threats across borders”.
At tomorrow’s briefing, Tedros is expected to emphasise that healthcare facilities have become a major target for ransomware attacks. He may reference the WHO’s 26 January report examining the threat of cyberattacks on healthcare during the COVID-19 pandemic, which notes that a sharp increase in phishing attempts and ransomware attacks was reported in that period, as healthcare organisations adopted digital tools to optimise clinical workflows and provide remote consultations for patients. The report also highlights that although ransomware attacks have primarily targeted healthcare delivery organisations, the COVID-19 pandemic saw an expanded focus on the broader biomedical supply chain, including laboratories and pharmaceutical companies.
The Ascension representative is expected to provide a firsthand account of the 8 May ransomware attack which disrupted the organisation’s electronic medical records system, phone systems, and various platforms used to order tests, procedures, and medications. This led to the temporary suspension of some procedures, tests, and appointments.
Tomorrow, most Council members are expected to argue that ransomware attacks, especially those targeting critical infrastructure such as healthcare, could constitute threats to international peace and security. In this regard, some members may recall that, in May 2022, Costa Rica had to declare a state of emergency following a cyberattack on dozens of government institutions, including the country’s finance ministry.
Several Council members are expected to highlight the work of the International Counter Ransomware Initiative (CRI), established in 2021 to foster cooperation in countering ransomware threats and holding perpetrators of malicious attacks accountable. CRI members—including Council members France, Japan, the ROK, Slovenia, Switzerland, the UK, and the US—convened for the CRI’s fourth gathering in early October, during which members discussed such issues as methods to counter ransomware attacks in the healthcare industry, cooperation with cyber insurers and the private industry to reduce ransomware payments and increase incident reporting, enhancing the security of critical infrastructure, and best practices to counter the flow of finances to ransomware actors.
Some Council members may reference the use of tactics such as cryptocurrency theft to support terrorist activities and to fund weapons of mass destruction programmes. Several members are expected to mention the activities of the Democratic People’s Republic of Korea (DPRK) in cyberspace, a priority issue for the ROK, Japan, and several other members. They might refer to previous reports by the Panel of Experts (PoE) assisting the 1718 DPRK Sanctions Committee, which have documented DPRK actors’ involvement in cyberattacks targeting financial institutions and critical infrastructure. (The PoE assisting the 1718 DPRK Sanctions Committee was terminated following a 28 March veto cast by Russia.)
Council members generally agree on the importance of implementing the existing norms of responsible state behaviour in cyberspace and undertaking confidence- and capacity-building measures to reduce mistrust among member states and promote stability in cyberspace. However, members have diverging views on the applicability of international law in cyberspace and the need for developing additional legally binding obligations. (For more information on Council dynamics on this issue, see the brief on cybersecurity in our June 2024 Monthly Forecast.)
Additionally, member states recognise the difficulty of attributing responsibility for malicious cyber actions, with Russia frequently arguing that malicious cyber activity should not be attributed to a state based solely on the activity’s origin. In this regard, some states have proposed establishing a global accountability mechanism for cyberspace, in line with the recommendations of the Secretary-General’s July 2023 policy brief A New Agenda for Peace.
While most member states acknowledge the Security Council’s role in addressing cybersecurity issues, opinions vary on the extent of its desired involvement. At previous Security Council open debates and Arria-formula meetings on cybersecurity, some member states have expressed support for the Council’s role as a platform for raising awareness and discussing emerging threats posed by new technologies, as well as sharing lessons to formulate appropriate responses. Others have advocated for more active engagement, potentially involving investigations under Article 34 of the UN Charter into specific cyberattacks and dispute resolution under Chapter VI. (Article 34 provides that the Security Council may investigate any situation which might lead to international friction or give rise to a dispute, while Chapter VI concerns the pacific settlement of disputes.) Russia, on the other hand, has maintained that the Security Council is not the appropriate forum for discussing cybersecurity, arguing that it should defer to more inclusive platforms such as the OEWG.