In the summer of 2017, the Russian government implanted malware in a commercial accounting software called M.E. Doc, used by the majority of Ukrainians to file their taxes. The malware known as NotPetya spread quickly throughout Ukraine. But what began as targeted attack against a regional rival soon morphed into a global campaign that wreaked havoc on dozens of companies around the world. Multinational giants such as Merck and FedEx each suffered hundreds of millions of dollars in damages as the malicious code spread from their business networks to critical industrial control systems. With total damages estimated at approximately $10 billion, NotPetya was the single most costly known cyberattack in history. Almost two years later it may have an impact on the legal standards related to cyberwar.
Among the other victims of NotPetya’s collateral damage was Mondelez, the U.S. food company that claims Oreo as one of its brands. After the malware rendered 1,700 servers and 24,000 laptops “permanently dysfunctional,” Mondelez submitted a $100 million property insurance claim, citing their coverage for “physical loss or damage to electronic data, programs or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.” Zurich, their insurer, refused to pay, citing an exclusion for “hostile or warlike action in time of peace or war... by any government or sovereign power, military, naval or air force, or agent or authority of any party specified above.” Mondelez is suing, putting an Illinois state judge in the unusual role of interpreting the law of armed conflict.
Cyber insurance is complicated. Unlike with automobile, life, or even health insurance, cyber risk is hard to predict and measure. It suffers from a dearth of actuarial data and a volatile threat landscape. Case and point is North Korea’s cyberattack on Sony Pictures Entertainment. In 2014 when Sony released “The Interview,” a parody of Kim Jong-Un that culminated in his assassination, the movie studio’s cyber risk profile skyrocketed. And, in fact, North Korea retaliated by leaking the company's confidential data, wiping data from its computers, and bricking its systems. No insurer could have anticipated this exposure beforehand, much less run actuarial calculation to assess its likelihood.
Such unexpected exposures are increasingly rare, thanks in large part to a growing understanding for the scope and scale of cyber risk. But for those truly unexpected exposures, insurers have adopted new limitations and applied exclusions more broadly than usual. The war exclusion, for example, was originally aimed at addressing physical damage caused by conventional military operations. It was specifically designed to protect insurers from the insolvency that would inevitably ensue if multiple customers were suddenly consumed by aerial bombing or ground invasion. After 9/11, insurers added a standard exclusion for terrorism. And now at least one insurer is seeking to expand the aperture even further to include cyberattacks attributed to nation-states within the exclusion.
The key word in this case is attribution. Linking a hacker’s tradecraft and tools with other factors like motivation, timing, sophistication, and capability is hard enough. But unlike in the physical domain, perpetrators of cyberattacks enjoy significant plausible deniability by virtue of the use of proxies and the inherent veil of obscurity afforded by cyberspace. Governments are also often reluctant to reveal evidence of attribution lest they jeopardize the sources and methods that granted them such valuable insights. Their claims also naturally suffer from a perception of political bias, leaving the task of proving attribution to researchers and the private firms that employ them. The Illinois court may, therefore, rely not only on statements made by the U.S. and U.K. governments condemning Russia for these attacks, but also on the forensic analyses of private companies, including those based overseas.
But even if the statements of Western governments and researchers are enough to convince courts of Russia’s wrongdoing, does such an attack rise to the level of “hostile or warlike action”? And if so, are victims of previous attacks publicly attributed to nation-states — like the North Korean attack on Sony or the Iranian attack on the Las Vegas Sands Corporation — in a similar position?
And more importantly, do we want an Illinois court establishing this principle — one way the other — in the course of adjudicating an insurance dispute?
As a general matter, governments around the world have shown extreme reticence in defining what constitutes an “act of war” in cyberspace — and for good reason: Once you decide something is an act of war in cyberspace, your people might expect you to respond, and this might lead to escalation. Similarly, one nation’s covert influence operation might be another’s attack on election infrastructure. And all this might lead one to wonder whether the next major global conflict will erupt first online.
The main point here, though, is less about insurance coverage and more about how we — as a nation — think about the consequences of cyberattacks.
We don’t expect companies to defend themselves against nation-state attacks; we don’t expect corporate guards to carry shoulder-launched rockets to defend against an air attack from a hostile nation. Yet today, we expect the cyber equivalent from every company in our nation. That makes little sense.
The parties in the Mondolez-Zurich dispute are simply an example of a much bigger problem that our nation’s leaders haven’t yet answered: When another nation seeks to come after us, our companies, and our citizens in cyberspace, whose job is it to defend them and why aren’t they doing it?
Dave Weinstein is Vice President for Threat Research at Claroty and a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He previously served as the Chief Technology Officer for the State of New Jersey and at U.S. Cyber Command. Jamil N. Jaffer is Vice President of Strategy & Partnerships at IronNet Cybersecurity and the founder and executive director of GMU’s National Security Institute. He previously served in a variety of national security roles across the federal government and worked on President George W. Bush’s Comprehensive National Cybersecurity Initiative.