Causality, Culpability, and Critical Infrastructure Resiliency

Media, social feeds, and other sources of news are awash with stories of the “first death linked to ransomware” following an incident in Düsseldorf on 09 September 2020. Since the event, authorities in Nordrhein Westphalen have launched an investigation treating the death as “negligent homicide”. At the time of this writing, I was unable to identify precisely what crimes are under investigation, but the term “negligent homicide” indicates a lower-tier offense (including lack of intentionality) than murder, which aligns with German legal practice.

While the precise criminal violation investigated is interesting in depicting the state’s view of events, the commentary crowd has already gotten well in front of the incident with hyperbolic statements of death by ransomware and similar notions. The central premise behind many of these statements is that society has now reached a moment where ransomware is directly, obviously killing people, with this incident being somehow different from other “chain of causality” events that may have happened prior.

Yet this seems strange and difficult to defend on several levels, not the least of which being some fuzziness over circumstances in the German hospital itself. Available descriptions of the incident indicate the following chain of events:

1. Ransomware actor targets German university for monetization.
2. Threat actor leverages an unpatched Citrix VPN vulnerability to breach the victim’s network.
3. Ransomware impacts hospital network linked to the university inadvertently.
4. After learning of this unintended consequence, ransomware authors release the decryption key to the victim.
5. Hospital IT systems (30 servers, apparently no actual medical systems) are impacted for an extended period of time during asset recovery.
6. A patient scheduled for treatment at the hospital is redirected to another facility approximately 60km away.
7. During the delay imposed by the transfer to the other hospital, the patient died.

Let’s start with the obvious: due to the events described above, someone died and that is a tragedy, especially if that outcome could have been avoided. The question though is precisely how that outcome could have been avoided and where responsibility or causality lies in the chain of events described above.

First, one can argue that absent the ransomware actors deploying malicious code in the hospital network – intentionally or accidentally – the woman would not have died. This seems pretty clear, although the nature of the death and the chain of events make culpability and responsibility somewhat murky. Legal systems differentiate between the accidental but negligent killing of persons (typically using terms such as “manslaughter”) from the deliberate, intentional killing of another (homicide, or murder). The act under discussion trends strongly (if not exclusively) toward the latter as unplanned, unintentional death brought about through a service disruption.

In this set of scenarios, while the ransomware actors cannot reasonably be held responsible for deliberate, planned killing of an individual, they certainly seem culpable for creating the preconditions necessary for the otherwise avoidable death of an individual. Yet if we approach the subject in this fashion – creating the circumstances for the terrible outcome – and follow the argument to its logical conclusion, matters are not as clear as they would seem. As quoted in the BBC:

“[The hospital’s] president Arne Schönbohm said hackers took advantage of a well-known vulnerability in a piece of VPN (virtual private network) software developed by Citrix, and warned other organisations to protect themselves from the flaw.”

This moves us to item 2 on the chain of causality. While there was certainly a desire on the part of criminal entities to deploy ransomware to generate profit, such an action within the environment of the specific victim was only possible due to a preventable weakness in that victim’s network. But for the failure to patch a known, actively exploited flaw in the university’s network, the ransomware entity would have been unable to deploy its code which created the conditions enabling the death of the patient. In this case we are focusing on acts of omission (failing to patch) as significant items for culpability whereas typical human focus lies on acts of commission (deliberate acts to change the state of the world, such as the ransomware deployment). 

As illustrated in so many trolley problems, the question becomes one of perspective and how one allocates responsibility. In this example, do we look at the ransomware authors “flipping the switch” that moved the runaway trolley onto the track where it killed a person, or do we look at the ransomware activity as the out-of-control trolley and the hospital network administrators failing to flip the switch (patch their VPNs) thus allowing the trolley to kill a person? Unfortunately, I don’t have a good answer here but I provide this example to illustrate that answers to “who is to blame” in this situation are neither simple, nor are they necessary unitary in nature – e.g., blame may most appropriately be apportioned between both the criminal entities and the network administrators for enabling the circumstances in play. Furthermore, the chain of causality reflects multiple issues beyond just “ransomware killed someone” so that one could make a statement of equal validity that “failing to patch killed someone”.

Yet there is still another consideration. As described in the Washington Post article:

“A report from North Rhine-Westphalia state’s justice minister said that 30 servers at the hospital were encrypted last week and an extortion note left on one of the servers, news agency dpa reported.”

This observation highlights step 5 in the chain of causality above – that the hospital’s IT systems were impacted, but based on available information medical-specific equipment (diagnostic machines, etc.) do not appear to have been affected in the incident. This leads to another question if we are examining the death from the perspective of “enabling the circumstances leading to an avoidable death”: why an impact to the hospital’s IT network would result in the modification of a planned (not emergency) life-saving procedure that induced a delay in delivering medical treatment?

From this perspective, the only reason two IT-centric operations (ransomware deployment enabled by a failure to patch a known external-facing vulnerability) could result in the death of a patient would be failures in incident and disaster response planning on the hospital itself. While these other acts – of omission and commission – are concerning, they would have been unable to result in any meaningful impact had the hospital system in question developed the means to adequately respond to and mitigate against something such as an IT failure. In this view, a number of potential conditions could have produced similar circumstances that led to the death of a patient. Absent these operational and risk mitigation failures, even with the creation of an undesirable operational environment, the patient may very well have lived.

Given the above murkiness concerning causality, pre-conditions, and links between events, a statement such as “ransomware killed someone” is faulty if not outright humorous. We should be careful as analysts and observers in making such simplified statements on complex events. While ransomware is certainly a terrible scourge in its own right, from financial loss to potentially providing cover for state-directed disruptive events, situations such as this death in Germany also highlight fundamental weaknesses in critical infrastructure maintenance and operations.

Viewed in this light, ransomware is only a potentially existential problem because of an inherent brittleness or lack of resilience in critical societal functions. The unintended, likely preventable death of the woman in Düsseldorf can therefore be viewed as a result of underinvestment and failed contingency planning within a critical societal function (healthcare) with ransomware just serving as the proximate cause highlighting the underlying deficiencies.

That a ransomware event served as the spark does not take away that the “kindling” enabling the conflagration was present prior to the event taking place. However, just as we (rightfully) blame the arsonist for deliberately setting a fire resulting in damage or death (even if the arsonist did not desire such outcomes), we also look at the situation to determine what conditions enabled the dangerous event to start and allowed the fire to spread to achieve such tragic consequences.

Therefore, despite the “good natured” effort on the part of the ransomware actors in this event to provide a key once they realized they had inadvertently infected a hospital network, they should be identified and prosecuted to the fullest extent of the relevant laws. Ransomware actors must be held responsible and accountable for the disruptions their activities impose on societies, and these groups have escaped meaningful consequences for far too long.

However, as already reflected in language around the investigation, the death results from negligence as opposed to a deliberate act, and should highlight important lessons we – as information security professionals, risk assessors, and critical infrastructure owners and operators – should take away from this terrible incident. Namely, the ransomware was but the initial mover setting off a chain of events highlighting a number of other operational and institutional failures that led to a preventable death. While we may argue “but for” the ransomware the person would still be alive today, the chain of events described above identifies a number of systemic weaknesses and failures that allowed for a computer intrusion to indirectly result in the death of a patient.

Taking the view of “ransomware killed someone” obscures these other, more fundamental causes and provides an easy “out” from addressing more problematic and serious issues within critical infrastructure. This is not to say that the hospital IT administrators and risk assessors should be prosecuted for murder, but the above argument should make quite clear that such personnel and related decisionmakers need to invest in some serious introspection to determine how an (avoidable) event could result in such a catastrophic outcome. While we certainly need to eliminate and reduce ransomware incidents, such impacts as manifested in Düsseldorf could emerge from a variety of sources – from power disruptions to deliberate destructive cyber events. Solving the ransomware problem would therefore seem to address a symptom of an underlying illness within the operation and resilience of many aspects of critical infrastructure.