© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Ransomware Attacks – New Israeli Justice Ministry Recommendations

In light of the increase in fraud crimes in the digital space, a team from the Israeli Justice Ministry has formulated recommendations for defining a policy to contend with ransomware attacks. The recommendations relate to both private entities and government bodies.

 

According to the statistics, the National Cyber Directorate’s hotline received 12,739 calls from citizens and organizations in 2021 about cyberattacks, including ransomware attacks. (For comparison, between 2019 and 2021, it received 413 reports of ransomware attacks.) The assessment is the number of cyberattacks that occurred and were not reported is significantly higher.

 

The new recommendations are part of a more comprehensive examination conducted by the Justice Ministry of enforcement authorities’ handling of these cyberattacks, including regarding the provision of support to entities under attack, assistance to victims of fraud in the digital space, investigation, and enforcement.

 

The recommendations pertain to two aspects of contending with ransomware attacks and cyberattacks. The first aspect concerns the question of ransom payments, while the second aspect concerns media coverage of such attacks.

 

In principle, the team has determined that paying a ransom is an undesirable action, inter alia, because the payment does not help restore the situation to the status quo, encourages the recurrence of such attacks, finances illegal activities, and does not guarantee no information leaking in the future. Nevertheless, the team is not recommending the imposition of a sweeping prohibition on ransom payment. Rather, it recognizes the need for entities to maintain flexibility in contending with ransomware attacks.

 

These recommendations are consistent with positions published worldwide in this regard.

 

The team differentiates between private and public entities in the context of ransomware attacks.

 

Private Entities

 

For private entities, the team’s recommendations include, among other things, the following:

 

1. Private entities must immediately report the attack and the payment of ransom, if paid, to the relevant authorities.

 

2. The authorities should consider parameters and circumstances that may reduce the risk of criminal liability for paying a ransom, provided entities report the attack before paying the ransom and that they cooperate with the authorities.

 

3. Authorities must inform the public that there are circumstances when paying a ransom may lead to criminal liability against the payer, inter alia, within the context of terrorism financing and/or money laundering in Israel, as well as within the context of international violations of the provisions of OFAC (Office of Foreign Assets Control), which include a list of entities to which payments are prohibited.

 

Government Bodies

 

With regard to government bodies, the team recommends as follows:

 

1. Government bodies must obtain high-level judicial approval before transferring ransom payments, following consultation with cyber defense and security professionals.

 

2. Government bodies should be cognizant of the fact that payment of a ransom may mean the State will be involved in the commission of an offense.

 

3. Government ministries must report ransomware attacks to the relevant authorities.

 

Media Coverage

 

In addition, the team discussed the positive and negative aspects of media coverage of ransomware attacks. It highlighted the tension between the public’s right to know, freedom of the press, etc., and giving resonance to such attacks, particularly attacks intended for terrorist purposes or to jeopardize national security.

 

In this regard, the team concluded that the gag mechanism prescribed in Israeli law provides a good solution and should be considered for application to ransomware attacks as well. The team proposed several guidelines regarding the procedures for applying for and issuing gag orders within this context.

 

The team also addressed the reporting obligations already prescribed in the laws that apply to the Privacy Protection Authority and the sectoral regulatory authorities, as well as the issues of information and the public when public companies are involved.

 

These recommendations shed light on the risks that entities face in the event of a ransomware attack or cyberattack and emphasize the need for readiness to contend with such attacks in advance.

 

***

 

Barnea Jaffa Lande’s Regulation Department is at your service if you have questions about cybersecurity, privacy and data protection and other issues.

***

 

Tags: Cyber ​​attack | Ransomware