Ex-FBI Official Urges Terror Designations for Ransomware Gangs Attacking Hospitals

Executive Summary

In testimony before the House Homeland Security Committee on April 21, 2026, former FBI Cyber Division Deputy Assistant Director Cynthia Kaiser proposed a significant strategic shift in how the U.S. government combats ransomware. She urged lawmakers and federal agencies to formally analyze whether ransomware attacks on hospitals and other critical infrastructure could be legally classified as acts of terrorism. This would allow the government to apply powerful counter-terrorism authorities, such as Executive Order 13224, to dismantle the financial networks of these criminal enterprises. Furthermore, Kaiser advocated for considering federal homicide charges in cases where a patient's death can be directly attributed to the disruption caused by a ransomware attack. This proposal seeks to reframe certain cybercrimes as life-threatening acts, opening the door to more severe legal consequences for the perpetrators.

Regulatory Details

The core of the proposal revolves around re-interpreting and applying existing legal frameworks to the modern threat of ransomware against critical infrastructure.

• Terrorism Designation (Executive Order 13224): This executive order, signed after the 9/11 attacks, gives the U.S. government broad powers to disrupt the financing of terrorist organizations. It allows the Treasury Department to block assets and prohibit transactions with designated entities. Kaiser's argument is that a ransomware group that knowingly attacks a hospital, aware that its actions will endanger human life, is committing an act that could meet the legal definition of terrorism: an act that is dangerous to human life and appears intended to intimidate or coerce a civilian population.

• Federal Felony Murder Rule: This legal doctrine allows for a person to be charged with murder if a death occurs during the commission of another dangerous felony, even if the person did not directly cause the death. Kaiser suggested that if a ransomware attack on a hospital (a felony) leads to a documented patient death (e.g., due to delayed surgery or inability to access medical records), prosecutors should explore applying this rule to charge the attackers with homicide.

Affected Organizations

If this policy were adopted, it would primarily affect:

• Ransomware Groups: They would face significantly increased pressure, with their finances targeted and their members facing the possibility of life sentences or more severe penalties.
• U.S. Government Agencies: The Departments of State, Justice, and Treasury would be responsible for the analysis, designation, and prosecution under these new interpretations.
• Healthcare Sector: Hospitals and other critical infrastructure providers would see a much stronger government response to attacks against them, potentially acting as a greater deterrent to attackers.

Compliance Requirements

This is a policy proposal, not an existing regulation. If enacted, it would not place new compliance requirements on the victims (hospitals). Instead, it would unlock new tools for law enforcement and the intelligence community to pursue the attackers. The primary 'requirement' would be for prosecutors and investigators to rigorously document the chain of causation between a cyberattack and a specific harm, such as a patient death, to a standard that would hold up in court.

Impact Assessment

Adopting this proposal would have a profound impact on the fight against ransomware:

• Increased Deterrence: The threat of being labeled a terrorist and facing homicide charges is a significant escalation from current financial crime charges. It could deter some groups from attacking critical infrastructure.
• Enhanced Disruption: A terrorism designation would allow the U.S. to use a wider range of diplomatic, financial, and intelligence tools to disrupt ransomware groups, their infrastructure, and their financial support networks.
• International Cooperation: It could make it more difficult for countries that provide safe harbor to these criminals to continue doing so, as they would be harboring designated terrorists.
• Legal and Geopolitical Complexity: The proposal is not without challenges. It would require a high burden of proof to link a cyberattack to a death. It could also have unintended geopolitical consequences if the designated groups are linked to nation-states.

Enforcement & Penalties

• Under Terrorism Designation: Penalties would shift from those for fraud and extortion to those associated with terrorism, including the complete seizure of assets, sanctions against anyone providing material support, and potentially military or intelligence action.
• Under Felony Murder Rule: Individuals could face charges of first-degree murder, which can carry a penalty of life in prison or the death penalty at the federal level.

Compliance Guidance

For healthcare organizations, this proposal reinforces the critical importance of documenting the impact of a cyberattack.

1. Document Patient Harm: In the event of an attack, healthcare providers should meticulously document every instance of patient care being delayed, diverted, or negatively impacted. This documentation could become critical evidence in a future prosecution.
2. Engage with Law Enforcement: Maintain strong relationships with the local FBI field office and CISA. Report incidents immediately and provide all requested information to support their investigation.
3. Preserve Evidence: Ensure that forensic evidence from an attack is preserved in a way that is admissible in court. This includes forensic images of affected systems, log files, and copies of all communications with the attackers.