Is Cyberwarfare War? Insurers Balk At Paying For Some Cyberattacks (thebulletin.org) 81
From the Bulletin of the Atomic Scientists:
In an era of unceasing cyberattacks, including cases of state-sponsored hacking, insurance companies are beginning to re-interpret an old line in their contracts known as the "war exclusion." Stripping away the metaphorical connotation of the term "cyberwarfare," big insurers like Zurich Insurance have decided that state-sponsored attacks are basically just plain warfare.
This shift comes as the U.S. government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable. But the policy certainly doesn't seem to be doing any favors to the private sector.
The maker of Oreo cookies was hit by 2017's "NotPetya" attack, but its insurer refused to cover its $100 million in losses, citing an exclusion for "hostile or warlike action in time of peace or war...by any government or sovereign power." Oreo called their response "unprecedented," saying the war exclusion has always been applied only to "conventional armed conflict" -- and not to cyber-attacks.
Slashdot reader Lasrick argues that an insurance company win in court "could make cyberwar much more real -- and costly."
This shift comes as the U.S. government is increasingly attributing state-sponsored cyberattacks to their alleged perpetrators, a development that some argue is a means of holding bad actors accountable. But the policy certainly doesn't seem to be doing any favors to the private sector.
The maker of Oreo cookies was hit by 2017's "NotPetya" attack, but its insurer refused to cover its $100 million in losses, citing an exclusion for "hostile or warlike action in time of peace or war...by any government or sovereign power." Oreo called their response "unprecedented," saying the war exclusion has always been applied only to "conventional armed conflict" -- and not to cyber-attacks.
Slashdot reader Lasrick argues that an insurance company win in court "could make cyberwar much more real -- and costly."
my PC has PTSD from cyberwar (Score:4, Funny)
Good (Score:4, Insightful)
The last thing we need are companies with shit security being able to recover losses from insurance companies. That just shifts the risk and penalty from decades long choices from their IT staff who no doubt warned them about a lot things they were doing horribly wrong. I just wish they'd start fining more companies for data breaches.
Re: Good (Score:1)
If I were an insurer I would laugh at claims. Some of the claims are so obviously a scheme, legal or not, that qualify as insurance fraud. Insurance investigators are the best in the business and you would be fooling yourself if you think you can put anything over on an insurance company. Insurance companies probably have better surveillance than the NSA.
Re: (Score:3)
If I were an insurer I would laugh at claims.
The industry has tried that endless times, and the end result is courts. And lawyers. And big insurance payouts on top of the legal fees.
That's why, if you were an insurer, you would usually just pay claims.
The real point here in this story is that if you're a company with an insurance policy that might cover some sort of electronic attack on your business, and that sort of attack happens, do not, I repeat, do not blame the attack on a sovereign power. Even if it makes your IT team look less bad. When rep
Re: (Score:3)
If I were an insurer I would laugh at claims.
The industry has tried that endless times, and the end result is courts. And lawyers. And big insurance payouts on top of the legal fees.
That's why, if you were an insurer, you would usually just pay claims.
The real point here in this story is that if you're a company with an insurance policy that might cover some sort of electronic attack on your business, and that sort of attack happens, do not, I repeat, do not blame the attack on a sovereign power. Even if it makes your IT team look less bad. When reporters ask questions about if [some sovereign power] was responsible, say no; say it was clearly a criminal act undertaken by a group of bad actors.
They're never going to prove that some country was officially responsible; however they might easily prove that you already conceded that it was true.
And of course if you didn't have that sort of insurance in the first place, then just say whatever you want, you're still Free. But, mind your security better next time.
That was before insurers got smart and started writing computer security standards requirements into their policies. Now, all the insurance company has to do is prove that the insured didn't follow some security procedure and poof, no more claim. And the insurance companies have been winning on this one in court because there are obvious precedents for requiring certain real world practices (safety procedures, security policies, etc) to be followed in order to collect on a claim. So now the folks writing
Re: Good (Score:1, Insightful)
Usually the IT staff is shit at explaining the business risk of a cyber event. Some nerd yelling about hax0rs makes no impact, while a well defined business case explaining risk, the cost of a breach, and the cost of security makes all the difference.
Source: 20 year plus Infosec pro who started out hand waving about hax0rs and eventually realized that everything is about financial risk
Re: (Score:3)
In my experience, in 25+ years of IT, when security is mentioned in a top brass powwow, the CEO walks out, says, "security has no ROI", and that is the end of the discussion. In my experience, most companies are better off financially by paying off fines as opposed to actually going with solid security practices.
I have worked at a few companies who value security, where every process from the ground up was scrutinized for security vulnerabilities. However, those companies wind up getting bought out, and t
Re: (Score:2)
Quite often IT staff are a little cadre of incompetence. Firing the too smart and the too stupid, apart from the new guy the need to blame for everything. Once festered like a tick into the IT department, bad managers are hard to get rid of and often do quite bad things on the way out.
The insurance companies are screwed though, they can claim war and try to fight it off in court for as long as possible (the interest on keeping the money is less than legal fees and keep it going for as long as possible) but
Re: (Score:2)
The last thing we need are companies with shit security being able to recover losses from insurance companies.
Insurance companies don't just hand out money. They often do training and audits for best practices. This reduces claims by avoiding accidents and improving security.
Re: (Score:2)
Why would an insurance company insure a company that has shit security? Could you realistically get fire insurance if your building was not up to fire code?
The insurance company would mandate compliance audits, and require a post intrusion investigation to ensure compliance existed at the time of the breakin.
Re: (Score:2)
Re: (Score:2)
A little spy-vs-spy killing, and suddenly cyberattacks isn't so tempting.
Or we could, you know, stop storing plain-text passwords on unsecured servers.
Re: (Score:2)
In recent cases it's been stolen NSA weapons turned against the US and its allies. Zero day vulnerabilities.
The only solution is for the NSA to stop hoarding exploits and get them fixed as soon as they are found.
Takes just one or two years to fix (Score:2)
Cyberwar? (Score:1)
Cyberwar, huh, yeah
What is it good for
Absolutely nothing
Cyberwar, huh, yeah
What is it good for
Absolutely nothing
Say it again, why'all
Alternate reply: Make cyberlove, not cyberwar.
Re: (Score:1)
You should be sent to Cyberia for that lame post.
Re: (Score:2)
[cackles] Fake laugh. Hiding real pain.
And a word only used by clueless people. (Score:1)
In Germany we call such people "Internetausdrucker". Somebody who prints out the Internet.
And I remember when "cyber" was still cool. And ending worlds with Z too. My ancient domains had both.
But as soon as politicians and Internetausdrucker started using it, and not just people who had read Neuromancer and file sharers, it was over.
The term Cyberwar is sensationalist BS (Score:5, Insightful)
War is large organised amounts of people trying to kill each other over some larger cause concerning one group/nation against another. "Cyberwar" is a bullshit term.
Re: (Score:2)
War is large organised amounts of people trying to kill each other over some larger cause concerning one group/nation against another. "Cyberwar" is a bullshit term.
If your military flies an airplane into a neighboring country and bombs a weapons depot, or power plant, and nobody is killed, it is still an act of war.
If your military does [blah blah blah] with a computer, causing a weapons depot in a neighboring country to explode, nobody cares about your cyber-blah-blah, it is equally an act of war.
Judges don't care if you try to re-define a word. When you say "that word means [blah blah blah]," the Judge first looks at where you're saying the meaning comes from; are y
Re: (Score:2)
So a foreign military attacked a cookie factory?
As a critical blow to America's flabby underbelly?
Riiiight.
Re: (Score:2)
So a foreign military attacked a cookie factory?
As a critical blow to America's flabby underbelly?
Riiiight.
If you think you can reduce the scope of the losses by making a fat joke, you'd be a crap lawyer.
Re: (Score:2)
Re: (Score:2)
That hasn't been true for a long time, if ever. A single person ordered by the government of a nation to kill one other person (e.g. assassinate a key target) or damage some bit of infrastructure can be an act of war.
Yeahhhhh, seems legit.... (Score:4, Interesting)
I'm pretty sure insurance companies aren't the appropriate entity to decide when something is an act of war.
Re: (Score:2)
The argument that Stuxnet was an act of war is 100 times stronger. The argument that phishing and z-tier memes is an act of war is pathetic.
Screw insurance companies (Score:2)
They're nothing but leeches. They take and take and take, and offer nothing in return.
If these companies are claiming cyberattacks are acts of war, then they should be required to point to the Congressional declaration of war.
If they can't, they should shut up and do what they've been paid to do: provide coverage to companies who experience loss.
Re: (Score:2)
The US went in to help and support South Vietnam?
The NSA detects anti war material been created and sent out from a US college computer network?
The computer network mysteriously stops working. No more anti war material is sent out.
Was it the fault of the NSA?
Any detected action by the US gov? A request by "South Vietnam"?
An action by "South Vietnam" in the USA?
Did the US gov/mil know that "South Vietnam" wa
proof (Score:2)
It will be interesting to see an insurance company positively prove that an attack came from a national actor.
And how is an attack on an individual business an act of war?
Re: (Score:2)
It will be interesting to see an insurance company positively prove that an attack came from a national actor.
You won't ever see them try.
What you will see them try to prove is that the client already admitted that the sovereign actor was the most likely suspect, and that such a belief was reasonable.
The standard of "proof" is a preponderance of evidence. If the other party already agreed who was likely responsible, and that is the only evidence presented, it meets the standard. This is why many lawyers repeat the phrase "don't admit fault." In this case it is not only your own fault you don't want to admit!
And how is an attack on an individual business an act of war?
Well, o
Re: proof (Score:2)
Ok, so if the courts agree it's an act of war, does that mean than anyone waging such war is an enemy combatant, with all the legal implications, e.g. killing an enemy combatant while they are attacking you is not murder, and they don't have to be actually shooting you, they could be trying to sabotage a bridge, or your computer network - war is war, right?
Re: (Score:2)
No.
That's just another thing that has nothing to do with the case and the Judge won't even consider it. Those words are all already defined. You're playing Keyword Bingo and presuming it is Law.
incredibly dangerous to link "cyber" and "warfare" (Score:1)
it is incredibly stupid to create the mindset that "cyber-attacks" are "warfare". The Geneva Convention is very clear: a deadly attack by ANY citizen of one nation against another, regardless of the physical location of either citizen at the time of the attack, may be interpreted as an ACT OF WAR.
An Act of War permits all and any citizens of the nation being attacked - to immediately take up arms and respond with deadly force against all and any citizens and sovereign assets of the aggressor nation. there
Re: (Score:2)
Probably the US courts will just make up their own definition of the term and create a legal doctrine - just like the Supreme Court did with "qualified immunity" for police and federal agents. Such as: a computer-based hostile act against an entity by a national actor. This would be determined with the "preponderance of the evidence" evidentiary standard as it would be a civil, not criminal case. The aggrieved party would need to establish actual damages. So dueling expert witnesses and dodgy quotes from t
Re: (Score:2)
The Iranian nuclear enrichment project was not impacted in any way by the malware that got into the system.
The incredibly unsecured software that controls our infrastructure will never be a target of bad actors, and if it was all the IRL machinery it controls would operate perfectly when deliberately bad software takes over.
And no Boeing 737 Max ever fell out of the sky because of a software involved failure. None of tho
Cyberattack is an unratable risk (Score:2)
Insurance revolves around rating.
You assign a probability to each risk, and you aggregate the insureds into a pool that is big enough that you get the statistically expected losses in that pool. Then you set the premiums to cover those losses, plus a profit.
Cyberattacks don't work that way.
Everything is going along fine, no losses, and then BOOM! every computer in Europe is pwned within 24 hours, and you're on the hook for ALL the losses. Once the insurance companies realize this, they are going to stop ins
Re: (Score:2)
I don't think this is special "cyberinsurance," just a general insurance policy.
So there is no market that will vanish, and no policies that will go unsold; they'll simply stop covering this cause of loss.
Burden of proof (Score:2)
It doesn't matter if "cyberwar" is warfare (Score:2)
The agreement between a policy holder and an insurance company is a contract. There's no law that says they have to cover "cyberwar," whether or not it constitutes "war." The only question is, what did the parties agree to?
Now, if insurance companies are retroactively deciding that cyberwar is "war," that could well be a breach of contract. But if they are deciding to drop coverage for "cyberwar" in new policies, there's no problem. If you want coverage, you can ask for a rider to be added to your policy, w
not a problem (Score:2)
for a little bit more extra you can get insured against cyberwarfare loses too!
Cyber damages are BS (Score:2)
The amounts of damages due to 'hacking' are the sum of all the crap an organization can blame on a party who isn't there to defend themselves.
Why can't you be held accountable for your failure? Damn hackers.
You'd have to be nuts to insure that.