I have been reading about the ransomware attacks on several hospitals. It made me wonder, if somebody ended up dying because of this, could the creators of the software be charged with capital murder? Cyberattacks are considered to be felonies.
In most jurisdictions (all?), the felonies eligible for felony murder are enumerated by statute. I doubt that they include computer crimes.
Capital murder usually involves a specific intent to kill. It would be very difficult to prove that level of intent for someone who plants a virus which is intended to extort money. But I’d believe manslaughter, reckless homicide, and some kind of depraved indifference homicide charges.
Forgot – I am not a lawyer, a computer hacker, or a murderer.
IANAL either, but I don’t believe this is correct. Killing someone while committing arson is capital murder in many jurisdictions and there needed be any intent to kill – just to commit arson.
The felony murder rule (where it exists) is an exception to the mens rea requirement for murder convictions. To follow up on Richard Parker’s point, the enumerated crimes that trigger the rule are invariably dangerous crimes only - battery, robbery, rape, arson and so on.
Now, if you blew up a hospital’s servers and somebody died because of a resulting failure in a ventilator or whatever, sure.
This raises an interesting question that probably needs a REAL lawyer to answer. I looked up the Texas penal code figuring if there’s anyplace that has an expansive death penalty, that would be the place. Here’s what it says:
I read this as meaning that they commit the murder while doing the other thing, not that the death is an unintended outcome of one of these specified things. If I’m right, that would mean a “regular” murder is enhanced to a capital murder if one of these other crimes is being done.
But I could be wrong.
NM - didn’t pay attention to distinctions in Texas law.
Assuming that it could be proved beyond reasonable doubt, that a death occurred directly as a result of some DNS attack on a hospital (pretty hard to do in my layman’s opinion), a perpetrator could possibly be charged with manslaughter in the UK. (roughly equivalent to 2nd degree murder).
If the criminals had assets, they may well, after a criminal conviction, find themselves at the wrong end of a civil suit, where the level of proof is much lower. terms like “on the balance of probabilities” apply.
I have a memory of someone convicted of murder I on the basis of his being a getaway driver in an armed robbery in which someone was killed. The explanation was the he was guilty of felony in which someone was killed. He had never left the car. This would likely have been in PA, a common law commonwealth.
My understanding is that the felony you are involved in has to be one where death was a reasonably expected outcome, like armed robbery. Then, participating in the crime – even if you only drove the get away car and didn’t use the weapon – could get you charged with murder if someone dies as a result of that crime. (Even if the police were the only ones who shot someone – I’ve heard of police killing an armed robber and then charging his accomplices with his murder, because the crime they participated in contained a reasonable expectation that someone would be killed.)
But I don’t think death is a reasonably expected result of computer hacking, unless you’re playing wargames with the nuclear arsenal or something. I do think ransomware hackers could be charged with manslaughter or negligent homicide or something similar (if someone dies at a hospital as a result of their crime), just not murder, and certainly not capital murder.
I’m not a lawyer of any sort, though, just relaying what I know/an educated guess.
IANAL either but surely a prosecutor could argue that computer hacking of a hospital could well be reasonably expected to put some patients at the risk of death?
Nowadays hacking attacks are usually part of an extortion scheme, rather than just kids messing around, so I would say if someone were to die inadvertently because of them it would fall under those categories.
But does the death itself have to be shown to be a murder rather than accidental? If your wheelman accidentally runs someone over while robbing a bank could you be prosecuted under the felony murder rule?
But hackers just “messing around” have been implicated in some damn dangerous things.
The examples I’ve seen is that the death is nominally homicide, even if not culpable to the actual killer. Like, a police officer killing an armed robber in the course of attempting apprehension, and the robber’s getaway driver being charged with the felony murder.
It really depends on the goal of the hack. If you’re hacking into billing records, I can’t see where the expectation of putting patients at risk comes from. If you’re hacking into the system that controls patient breathing monitors then there is a clearer expectation of risk.
I think these things are just sent out into the ether. They didn’t explicitly attack hospital computers, and may not have known that hospitals use Windows computers for life-or-death purposes. They just put up a malicious web page that someone at the hospital clicked on. That’s not quite the same thing as participating in armed robbery.
No, and yes. All that matters is that the death is a reasonably foreseeable result of the underlying crime.
There is a distinction among jurisdictions between those following the agency theory and those that follow the *proximate cause *theory. In the latter, any death will do. In agency theory states, the defendant or an accomplice must have directly caused the death.
So in an agency state you are likely to be convicted of capital murder if you shoot somebody dead while robbing a bank, or an accomplice does, or you run someone over during your getaway, or an old lady has a heart attack when you pull out your gun.
In a proximate cause state, you could be convicted of capital murder even if the police shoot someone (including one of your accomplices!) or run someone over.
Doesn’t matter. Hacking isn’t one of the enumerated dangerous felonies. Whether a hacker could be charged with manslaughter under those circumstances is a different question.
I’ll say. Did you possibly mean to write “DDoS attack”? A death resulting from that would be a bit more plausible.
In New York, the felonies under the felony murder rule are:
One of the bar exam mnemonics still stuck in my head.
The felony murder rule will bite you! Baark!
Burglary, Arson, Assault, Robbery, Kidnapping
Some DNS attacks are DDoS attacks. Not all DNS attacks are DNS diversions.
I think the most relevent kind of attach would be a ransomware attack, where the hospital would be locked out of it’s accounting system. Which might, possibly, extend to locking it out of it’s patient record system. Which might possibly extend to locking it out of it’s pharmacutical and/or pathology system.
I would hope that being unable to use the WWW, or having their web page off air, would not be a danger to patients.