C. Warren Axelrod

Cyberwarfare—Yes? Cyber Insurance—No!

Just when you think that you are covered, you discover that you may not necessarily be protected by your cyber insurance. That was the startling message in an article by Adam Satariano and Nicole Perlroth with the title “Cyberattacks Reveal an Insurance Gray Area” in the SundayBusiness section of The New York Times of April 21, 2019. The online version of the article, dated April 15, 2019, with the title “Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong,” is at https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html?searchResultPosition=1

As you can read in the article, whether a claim is accepted or not might depend on the definition of cyberwarfare. And insurance companies refuse to pay out, under the so called “war exclusion,” if they consider a cyberattack—even one that is not specifically aimed at the subject organization—to be an act of war, as they have apparently done in the cases of Mondelez and Merck, which were attacked by the NotPetya malware, which ravaged international business (including a Russian oil company!) in the summer of 2017. There is an excellent article by Andy Greenberg, dated August 22, 2018, with the title “The untold story of NotPetya, the most devastating cyberattack in history.” The article describes in detail the events of the attack. It is available at https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

There has been a long-standing issue as to what constitutes “cyberwarfare.” I discussed the matter in my BlogInfoSec column of June 20, 2011 (yes, 8 years ago) with the title “Against All Enemies.” I was responding to an Op-Ed column by Richard Clarke in The Wall Street Journal of June 15, 2011.

The remaining questions are: What constitutes cyberwarfare? Who decides whether a particular cyberattack is an act of war or not? What is a justifiable response to such acts?

It seems that we still do not have a generally-accepted definition of cyberwarfare. This should come from governments and should be internationally supported—not from insurance companies. Yes, there will always be issues of attribution, but those exist in the physical world also, as discussed in my June 2011 column. So far as responses are concerned, insurance companies can deny claims, as they have, under the war exclusion, where litigation becomes the final arbiter. But what about governments and the military? How do they respond when attribution is so nebulous? Good questions all. But we seem to be as far from the answers as ever.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*