Home > Journals > LAWREVIEW > Vol. 96 > No. 2 (2023)
Was the Colonial Cyberattack the First Act of Cyberwar Against the U.S.? Finding the Threshold of War for Ransomware Attacks
On May 7, 2021, “DarkSide,” a foreign hacker group, conducted a ransomware attack against the Colonial Pipeline (“Colonial”). That morning, Colonial discovered a “ransom note demanding cryptocurrency.” The attack forced the shutdown of the Colonial Pipeline, stopping the daily delivery of 2.5 million barrels (MMBbls) of “gasoline, jet fuel and diesel” to the East Coast. The shutdown created fuel shortages, impacted financial markets, and panicked the public. The resulting fuel shortages and economic impacts “triggered a comprehensive federal response” on May 11, 2021. On May 12, CEO Joseph Blount paid a ransom of nearly $5 million in bitcoin to restore control. The federal government treated the attack as a cybercrime, ultimately seizing and returning some of the ransom payment.
Ransomware attacks, like the attack against Colonial, are the leading type of cyberattack. Norton Security estimated that in 2021, “there [would] be a ransomware attack on businesses every 11 seconds.” While a majority of cyberattacks are treated as matters for law enforcement, critical questions arise when the attack is a matter of national security. At what point does a cybercrime become more than a cybercrime? At what point is the attack an act of war? Here, the Colonial cyberattack provides a case study for analyzing whether a ransomware attack on critical infrastructure constitutes an act of war. Creating a threshold for acts of cyberwar is critical to developing future strategies to deter cyberattacks and avoid a so-called “Cyber–Pearl Harbor.”
This Note argues that the Colonial cyberattack was an act of cyberwar because the attack crossed a six-factor threshold developed from both domestic and international “laws of war.” Therefore, the federal government can respond to the Colonial cyberattack with military force as authorized under 10 U.S.C. § 394 and subsequent presidential policy directives (“PPDs”). Under this statute, a military response could have been led by U.S. Cyber Command (“USCYBERCOM”) or conventional military forces.
Part I of this Note discusses ransomware and the current domestic and international legal frameworks behind cybercrime and cyberwarfare. Part II creates a six-factor threshold for cyberwar developed from the law and argues that the Colonial cyberattack crossed that threshold into cyberwar. Further, this Part describes what a military response under 10 U.S.C. § 394 would look like. Finally, while this Note identifies the ability to use military force, such force should only be used proportionally and as a means of self-defense or deterrence.