How Costa Rica found itself at war over ransomware

Costa Rica’s newly-elected president has declared a national state of emergency, as its ongoing crisis costs the nation an estimated USD $38 million a day.

Perhaps in a different time, we would assumed the country had been struck by a devasting natural disaster or was struggling with some internal conflict—but times have changed. Costa Rica has been struck not by an earthquake or a bomb or a strike, but by a new national crisis: cybercrime.

Handling cyberattacks has become an everyday activity of every nation on the planet, as they try to navigate the “wild west” of the modern internet. Nation-states, for-profit cybercrime syndicates, political activists, and determined pranksters trawl the web every hour of every day, looking for their next victim. And what better victim than a nation’s government network? Government networks and systems are loaded with resources and information, including personal data that is vital for federal and civilian operations. At the same time, they are often behind the curve on security best practices, making government websites and systems prime targets.

A month ago, on April 12, the Costa Rican government began experiencing a higher-than-usual number of cyberattacks on its national systems. Social security services and labor services began flickering in and out of functionality, and the attacks only increased in frequency over the following days.

At this point, unfortunately, the story may sound familiar because dozens of large-scale cyberattacks against nation-states have been reported over the last decade. Beyond attacks on governments, an uncountable number of attacks are levied against companies and individuals every day. But thirty days after the attacks began, the unique nature of this situation began to become clear.

A new president inherits a crisis

On May 8, with the national finance systems still not functioning normally, Rodrigo Chaves was sworn in as the president of Costa Rica. On May 11, as one of his first acts as president, Chaves declared a state of emergency. He reallocated funds from the previous COVID-19 state of emergency, believing that this declaration will allow the nation to respond nimbly and effectively to the crisis. But it is never quite that simple.

Hours after the declaration, Costa Rica’s National Commission for Risk Prevention and Emergency Management (CNE) made a public announcement that it had no route, no strategy, and no plan for handling this emergency.

All the gusto of Chaves’ declaration had been squandered by a lack of preparedness—not by lack of effort, of course. The Ministry of Science, Innovation, Technology and Telecommunications (MICITT) formed the nation’s Cyber Security Incident Response Team (CSIRT) in 2012. In 2017, the Costa Rican government officially adopted a National Cybersecurity Strategy, which outlined a series of steps that should be taken to protect the nation from cyberattack—a series of steps, it seems, that were not taken.

A country at war

And that’s not the end of complicated issues for this declaration of emergency. Days after the initial attacks, the infamous ransomware group CONTI took responsibility for the assault. CONTI, a Russian-speaking cyber-gang with alleged ties to the Kremlin, has been heavily involved in the ongoing Ukrainian conflict. A USD $10 million bounty for any information on its leadership and a USD $5 million reward for information on its members offered by the United States have failed to impede the group.

Suddenly, the exact language used in the declaration of emergency has massive implications. President Chaves said he wishes to stop the suffering of Costa Rica at the hands of “cybercriminals” and “cyberterrorists.” Cybercrime is one thing—the Costa Rican penal code has clear guidelines on prosecuting crimes of this nature—but “cyberterrorism” is a different beast entirely. The ransomware gang has said that its goal is to overthrow the government, and President Chaves’s response has been that the country is “now at war”, which is unique, considering that Costa Rica abolished its army 70 years ago.

Besides the potential political and international law consequences that this statement may have, Costa Rican penal code does not expressly have a definition of cyberterrorism on its books, but the undeniably politically motivated nature implied by “terrorism” has implications when applied to a group that is understood by many to be closely tied to the Kremlin.

An example to the world

Where does this leave Costa Rica, and what does it mean for the rest of the world?

Costa Rica continues to lose untold amounts of money daily from disruptions of service, and although the government announced an “action plan”, it seems they are still struggling with how to stop/contain the attack and manage this type of national-level crisis. Even if they were, there is no legal framework in place to meaningfully prosecute the perpetrators. At this point, the government must do five years of cyber-preparedness work in the next few weeks.

Latin America is rife with global critical infrastructure; what if these attacks spread there? The Panama Canal operates to the tune of USD $2.7 billion of revenue a year, and a disruption of service would have an economic impact an order of magnitude beyond that. On the border between Brazil and Paraguay, the Itaipu Dam produces more energy than another hydroelectric plant in the world, USD $3.2 billion worth. This is, of course, only scratching the surface.

Costa Rica failed to implement the cyber-preparedness strategy that it laid out five years ago and now serves as an example not only to other Latin American nations but also to the world. Nations need to update their infrastructure, develop response plans, update their penal codes and harmonize them with internationally recognized standards and best practices, and join the international cyber-community.

The world has been working together to ease the burden of any individual entity trying to fortify itself against cyberattack. The US National Institute of Standards and Technology (NIST) has published the Cyber Security Framework (CSF), which has been adopted by countless nations and private enterprises around the globe. Any nation that has not embedded itself in the international cyber community, any nation that has not codified its cyber-defense plans and strategies, any nation that has ignored its cybersecurity experts, is at extreme risk.

The best time to plant a tree is twenty years ago, but the second-best time is now.

Belisario Contreras is Senior Director, Global Security & Technology Strategy at Venable LLP. The views expressed in this article are those of the author alone and not of his employer.