Former FBI official proposes terror designations for ransomware hackers targeting hospitals
In testimony set to be delivered Tuesday before the House Homeland Security Committee, Cynthia Kaiser — who served as deputy assistant director in the FBI’s Cyber Division from 2022 to 2025 — also urged officials to examine whether prosecutors could pursue homicide charges under federal felony murder standards in cases where ransomware attacks on health facilities result in documented patient deaths.
Ransomware, malicious software that holds a victim’s systems or data hostage and demands payment in exchange for restoring access, costs U.S. victims tens of millions of dollars every year. Ransom hackers often target hospitals because disruptions can create urgent pressure to restore operations and therefore increase the likelihood victims will pay.
“When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within those definitions [of terrorism],” says Kaiser’s written testimony, which was given to Nextgov/FCW ahead of the hearing.
“At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224,” she adds, referring to the post-9/11 order that empowers agencies to crack down on foreign entities that commit, or pose a significant risk of committing, acts of terrorism.
The proposal is significant because, if implemented, it would broaden the use of counterterrorism tools against cybercrime, and it underscores a shift toward treating the most harmful ransomware attacks as national security threats.
Terrorism labels could give the government access to a broader set of tools than traditional cybercrime prosecutions, including the ability to freeze assets, restrict financial transactions and pursue charges against those who provide material support to designated actors, even when they operate overseas.
The label also means U.S. spy agencies could increase intelligence collection targeting the ransomware actors and their networks, and nations may face “significant diplomatic consequences” for harboring individuals involved in such cyberattacks, Kaiser adds.
Congress would likely play a central role in clarifying or expanding the legal framework for such designations, though recent administration actions — including the National Cyber Strategy and a related executive order on cybercrime — could also shape how those authorities are applied.
The proposal also suggests lawmakers consider whether the 2002 Terrorism Risk Insurance Act could help ensure hospitals get insurance coverage for cyber damages under such designations.
“The goal is not to punish victims. It is to ensure that the most dangerous actors in the ransomware ecosystem face consequences proportionate to the harm they cause,” the testimony reads.
In arguing for murder and manslaughter charges when such attacks cause death, Kaiser says the number of patient deaths caused by ransomware is higher today compared to documented evidence from previous years and that the “true number of lives lost to this crime is almost certainly in the hundreds.”
Under federal law, prosecutors can pursue murder charges when a death occurs during certain dangerous felonies, even without intent to kill, though it’s not typically applied to cyber offenses.
“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” the testimony says.
The pace of ransom intrusions on healthcare institutions has not slowed. A ransomware attack on the University of Mississippi Medical Center in February forced clinics across the state to shut down and surgeries to be canceled.
In 2024, a major ransomware attack on Change Healthcare disrupted critical healthcare systems nationwide and highlighted how such incidents can easily create negative downstream impacts on other components of the U.S. medical supply chain.
The U.S. has previously worked with international partners to take a harder line on ransom payments, though expert views remain split. Some argue payments should be banned because they fuel further cybercrime, while others say not paying could leave victims, including hospitals, with few options to quickly restore critical systems.
“The FBI and its federal partners are doing everything they can with the authorities they currently have,” Kaiser says. “I know this from the years I spent working alongside those agents. But the worst of the worst — those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”
“These hackers are counting on us to respond with incremental measures,” she adds. “I urge you to prove them wrong.”
]]>