[Reading Time - 2 minutes 46 seconds]
Cybersecurity has often been called warfare between the attackers and the defenders. Now there is a lawsuit over this: that is, can a cyber-attack actually be an act of war? And more than just being an exercise in definitions, there are significant implications on the outcome of the decision.
Instead of using an army to march across the battlefield to strike an adversary, governments are using state-sponsored attackers for launching computer attacks against their foes. The foes may be foreign governments or even citizens of its own nation that the government considers hostile or threatening. And a growing number of attacks today from state-sponsored attackers are directed towards businesses in foreign countries with the goal of causing financial harm or damage to the organization's reputation.
So, is a government-backed state-sponsored attack an act of war? One insurance company is claiming that it is. And because of that they are refusing to pay for damages resulting from an attack.
In the summer of 2017 the malware NotPetya was unleashed upon the world. It was a particularly virulent attack that crippled computers around the world. Although originally thought to be a new and improved version of ransomware, NotPetya was later considered to be a state-sponsored Russian cyberattack against Ukraine that was disguised as a ransomware attack. The goal of the attack, according to many security researchers, was not extortion to earn money as with other ransomware attacks. Instead, it was a disguise used to permanently lock up Ukrainian computers. The government of the United Kingdom has been particularly vocal about charging Russia with the attack, but the Russian government has formally denied any responsibility.
Several of the high-profile victims of NotPetya included the pharmaceuticals company Merck, the world’s largest shipping group Maersk, and the package delivery service FedEx, among hundreds of other organizations. Many of these companies carried insurance to compensate them in the event of a successful attack. One survey estimated that insurance companies would have to pay out a total of $80 billion in claims as a result of the NotPetya attack. Maersk claims it lost $300 million as a result of NotPetya, and FedEx said it lost a similar amount.
Another victim of NotPetya was Mondelez, who is the U.S. food company that makes Oreo cookies and Ritz crackers. Mondelez claimed that it had been the victim of NotPetya not just once but twice. About 1,700 of its servers and 24,000 laptops had their contents encrypted by NotPetya and were rendered “permanently dysfunctional,” according to the company.
Mondelez turned to its insurer Zurich, with whom Mondelez had an insurance policy. Although this policy was not a specific cybersecurity policy, nevertheless this regular policy provided coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” Mondelez filed a claim of $100 million due to damages caused by NotPetya.
However, Zurich refused to pay. Why? The insurance policy has an exclusion that says Zurich shall not be liable for “a hostile or warlike action” by a government or sovereign power or people acting for them. And because NotPetya was thought to be a state-sponsored Russian cyberattack masquerading as ransomware, then Zurich says they do not have to pay since it's an act of war. Mondelez has responded back with a lawsuit against Zurich.
This is more than deciding on a more accurate definition for the dictionary. There is actually a great deal riding on this whichever way the courts decide.
If the courts come down in Zurich's favor, it could have significant implications for the insurance market. Insurers could be immune from paying claims for these types of attacks. And companies would have to take out more cyber-specific policies for protection.
But perhaps even more important is that a legal definition from the courts could ultimately define what constitutes a cyber-war. Is a government-backed state-sponsored attack an act of war? And does this then open the door for the victim nation to retaliate with their own cyberattack? And could it then escalate, with nations aligning with their allies and ultimately unleashing a global cyber war?
There is no indication when we may have an answer from the courts. But either way there could be significant implications to the decision.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.