What of collateral damages in undeclare wars?

Today’s security environment is unpredictable. Threats can come from states cyber and hybrid warfare units at work and non-state actors’ cyber attacks by criminals, overseas adversaries, and terrorists. Now cyber exploits blur the lines between a prelude to war or plain old crimes.  Countries are invading one another’s cyberspace, releasing exploits to assess the level of damages to they can inflict or the level of penetration (compromise) they can achieve on computer networks, any network (Local Area Networks (LAN), Personal Area Networks (PAN), Home Area Networks (HAN), Wide Area Networks (WAN), Campus Networks, Metropolitan Area Networks (MAN), Enterprise Private Networks (Intranet), Internetworks, Backbone Networks (BBN), Wireless Broadband Network, even the Internet). If these networks were towns and cities, it would be an act of war, but no one wants to claim an act of war over hostile or warlike events in cyberspace, yet.

However, insurance companies are claiming these hostile or warlike actions by countries or people acting on behalf of a said nation means they don’t have to pay out for damages incurred by their insured claimants; they claim such cyberattacks fall under the ‘war exclusion’ section. Case in point, Mondelēz is suing its insurance firm Zurich for refusing to pay out on a $100m claim for damages caused by the devastating NotPetya attack that rendered 24,000 laptops and 4,000 servers permanently dysfunctional following the attack.

For those whose memories need jogging, the NotPetya attack was an extensive wiper ransomware campaign. Major organizations around the world were affected, the likes of A.P. Moller-Maersk, Merck & Co, Reckitt Benckiser Group, Beiersdorf AG, WPP plc, and many others across the world. The entire goal of NotPetya was to inflict as much damage as possible on affected networks.

Many companies affected by NotPetya made claims for the cost of damages on their property insurance policy. Many policies suggested companies’ coverage for physical loss or damage to electronic data, software and physical damage caused by the malicious code makes a cyber attack a valid claim. The insurance companies cite an exclusion in most policies that a “hostile or warlike action” (war exclusion clause) by a country or people acting on behalf of a said nation means it did not have to pay out.

The case has the making of a precedent as governments blamed the NotPetya attack on the Russian military, this link could affect future insurance claims. It gives both insurer and insured firms pause for thought when it comes to their insurance policies. However, most cyber attacks to date have hit civilian (as in non-military) targets who conduct their business and lives unaware that an undeclared war is taking place. The economic damages from such malicious event can only but increase, and blurs the line between cyber crimes from criminals, malicious act by thrill seekers, or deliberate pre-emptive strike prelude to outright war. What if it is an accidental release during a test of a weaponized cyber exploit? Would a country admit its error and pay compensation? Not likely, even if its secret hacking tools fell into unknown hands, remember the Cisco Exploit that came to light after the Shadow Brokers reveilled the NSA was hording zero day exploits.

The attribution of cyber exploits to countries like China, Iran, North Korea, Russia, the UK and US, or group of states like NATO and the 5 Eyes could see this play out in future, where insurers use the link as a legal argument in cases relating to cyber attack claims. It remains to be seen whether these changes materialize as cyber-specific policies purchased by firms or a tightening of terms and conditions for their general coverage in a company property insurance.

One thing is for sure, cyber and hybrid warfare have taken root in cyberspace as they are great field leveller especially for countries with small less capable militaries than the world superpowers. These warfare posturing will surpass the Cold War from a few players to too many, thus resulting in ever-increasing damages to innocent bystanders with no recourse than to reduce their cyberspace footprint, imaginably reducing their business potential as they lose their grip on the Information Age, and slip back into the Industrial Age.

One thing is for sure; countries will continue to exercise their cyber and hybrid warfare skills weaponizing exploits simply because everyone seems to be doing it, and no one wants to be caught flat-footed like Ukraine which was one of the first guinea pigs for Russia. Hence, this can only lead to more severe cyber attacks or cyber incidents (accidents) that increase the costs of collateral damages to civilians without ever being aware that a state of war exists.

As for the ‘war exclusion’ claim by insurance companies, is this a ploy to extort more premium from insurance buyers in the future or limit insurers’ exposures, since we all know that cyber incidents are on the increase, as is their severity, hence their costs? This could be an impetus for organizations to truly consider Zero Trust systems and data encryption at rest and in motion more seriously.

As for cyber and hybrid warfares, will governments learn that if you let slip the dogs of war in chicken coops it will reduce the production of eggs? Doubtful!

Nonetheless, it is imperative that we consider the value of an independent global organization whose mission consists of investigating and publicly attributing major cyber attacks. To this effect, I recommend reading Rand’s Stateless Attribution: Toward International Accountability in Cyberspace. [Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017.]

Cyberwarfare is the use or targeting in a battlespace or warfare context of computers, online control systems and networks. It involves both offensive and defensive operations about the threat of cyber attacks, espionage and sabotage. (Wikipedia)
Hybrid warfare is a military strategy that employs political warfare and blends conventional warfare, irregular warfare and cyber warfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention. (Wikipedia)