What is an act of war in cyberspace?

The Mondelez vs. Zurich case raises the question of what is cyber war exactly? Are North Korean hackers breaking into Pentagon computers or Chinese cybercriminals breaching the computer systems of major US military contractors an act of war? Is an anonymous hackers’ cyberattack on a nation’s financial system an act of war? Insurance companies could label all the acts above “act of war” to avoid paying claims. Is it enough for insurance companies to point to a government’s statements as proof positive that an individual or nationwide cyber attack was an act of war? The burden of proof falls on the insurance company. In this case, Zurich needs to prove that NotPetya was, indeed, an act of cyberwar. Simpler said than done. It is immensely difficult to track the origin of any hacker attack of any computer system. Would intelligence agencies have to provide proof in courts, thus likely revealing trade secrets?

In the case of NotPetya intelligence agencies in five countries blamed Russia for the attacks. However, none provided proof that the Russian government was responsible for the attack.

The escalating size and scope of cyber attacks in the last couple of years as escalated to astronomical heights. In the case of NotPetya, the total cost of the related to the ransomware cleanup is close to $80 billion. Beside Mondelez’s massive bill for the cyber attack, Maersk and FedEx project that their losses are in the neighbourhood of $300 million, each. So there should be little surprise that insurance companies are trying to wiggle out from paying by invoking the “act of war” clause.  

The world of cyber security is changing much more quickly than policies, regulations and insurer products can keep up with, Zurich’s refusal to pay for losses from the NotPetya ransomware attack, claiming it was an “act of cyber war” sets a nasty precedent for the insured. In any event, it should be a warning to organizations that, in the fact of a major cyber attack, they must have a proactive information security management (ISM) system in place to defend and protect themselves rather than count on their insurance policies to bail them out.

Cyber adds new and significant uncertainty to warfare, justice, and insurance making it difficult to respond adequately. To this effect, an International Attribution Consortium consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]

All organizations should consider a Zero Trust architecture based on the likes of OpenBSD, OpenSSH, OpenBSD PF, and a long list of other smart, open source vetted software as the foundation for your ISM. It is an ugly world out there where security is not of the passive! In this cyber world it is important to remember, you must outrun to outlast!

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR2081.html