Legal Liability for WannaCry


In Lethal Weapon 2, a corrupt diplomat repeatedly mocks the protagonists by pointing out that he has diplomatic immunity and cannot be arrested for all of the drug smuggling and violence that forms the basis of the movie’s plot.  People are intrigued by this idea that someone might have immunity from the laws of a country.  In international law, there is a concept called sovereign immunity that limits the ability of one country’s citizens to sue another country’s government.Sovereign immunity is a promise from one country to another to not use their court systems against each other. There may be exceptions for extreme circumstances, but sovereign immunity helps preserve diplomacy.

Ever since 9/11, victims of the terrorist attacks in New York and DC have attempted to sue the government of Saudi Arabia due to perceived connections between the Saudi government and the 9/11 hijackers.  In 2015, the Justice Against Sponsors of Terrorism Act – JASTA – was introduced in Congress with bipartisan support.JASTA broadens the situations where a lawsuit against a foreign country will be allowed to proceed.  President Obama and the State Department warned that this bill could diminish sovereign immunity and leave the U.S. vulnerable to lawsuits from other countries.In 2016, the House and Senate approved JASTA in spite of the administration’s reservations. After President Obama vetoed the bill, Congress overrode his veto, which required a 2/3rd super majority of both the House and the Senate.

It has only been a few months, so the long-term effects of JASTA are still unclear. If other countries decide to weaken the sovereign immunity that they recognize for the United States in their own courts, what might that look like?If we know what to look for, we might actually be able to watch this issue play out in real time.

For example, consider the recent massive global ransomware attack that used the software called WannaCry. The attack affected more than 100,000 organizations in 150 countries, and many of the victims were hospitals. The identity of the attackers remains unknown. What does this have to do with sovereign immunity and JASTA? Well, there is a hacking tool called Eternal Blue that was part of WannaCry, and which helped WannaCry spread very quickly. Eternal Blue was allegedly developed by the National Security Agency, and it was subsequently stolen from NSA servers and leaked to the public in a highly publicized manner by a group of hackers called the Shadow Brokers.

Some experts think that WannaCry may have caused as much as $4 billion in losses. WannaCry raises many legal questions regarding liability. Sure, the criminals who unleashed it are the ones who are most at fault, but they will be very difficult to track down. On the other hand, WannaCry included a cybersecurity exploit that was developed using taxpayer funds at the NSA.The NSA supposedly collects software vulnerability information without disclosing the vulnerability to the people who could fix it. By not making sure that the vulnerability is fixed, the NSA preserves the vulnerability as a possible tool against opponents.

There is not a lot in the established law about legal liability for cybercrimes for someone other than the actual attacker. The NSA’s actions might violate laws in other countries, but sovereign immunity would block efforts to hold the U.S. government liable.  However, with the passage of JASTA, the United States has weakened the reciprocity promise underlying sovereign immunity. In the coming months and years, we may see laws start to emerge in other countries that are designed to impose liability on governments – including our own – that develop hacking tools that are subsequently exploited by someone else.

Author – Jay Kesan