Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Security

Who Pays for an Act of Cyberwar? (wired.com) 34

Cyberinsurance doesn't cover acts of war. But even as cyberattacks mount, the definition of "warlike" actions remains blurry. From a report: This summer marks the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.

Whether or not insurers cover the costs of a cyberattack can depend, in part, on being able to make clear-cut distinctions in this blurry space: When Russian government hackers targeted Ukraine's electric grid earlier this year, was that an act of war because the two countries were already at war? What about when Russia hacked Ukraine's electric grid in 2015, or when pro-Russian hackers targeted servers in countries like the United States, Germany, Lithuania, and Norway because of their support for Ukraine? Figuring out which of these types of intrusions are "warlike" is not an academic matter for victims and their insurers -- it is sometimes at the heart of who ends up paying for them. And the more that countries like Russia exercise their offensive cyber capabilities, the harder and more critical it becomes to make those distinctions and sort out who is on the line to cover the costs.

When insurers first began offering policies that covered costs related to computer security breaches more than 20 years ago, the promise was that the industry would do for cybersecurity what it had done for other types of risks like car accidents, fires, or robbery. In other words, cyberinsurance was supposed to insulate policyholders from some of the most burdensome short-term costs associated with these events while simultaneously requiring those same policyholders to adopt best practices (seat belts, smoke detectors, security cameras) for reducing the likelihood of these risks in the first place. But the industry has fallen well short of that goal, in many cases failing both to help breached companies cover the costs of major cyberattacks like NotPetya, and to help companies reduce their exposure to cyber risk.

This discussion has been archived. No new comments can be posted.

Who Pays for an Act of Cyberwar?

Comments Filter:
  • by AcidFnTonic ( 791034 ) on Wednesday August 31, 2022 @03:09PM (#62840907) Homepage

    Perhaps we need to add a WAR bit to TCP packets.

    Onus will be on an attacking Nation to set it.

    Ill write up an RFC.

    • by tlhIngan ( 30335 )

      Perhaps we need to add a WAR bit to TCP packets.

      Onus will be on an attacking Nation to set it.

      Ill write up an RFC.

      Why? Why not reuse RFC 3514 [ietf.org]?

      It's already available, BSD and Linux already support it.

      • by xalqor ( 6762950 )

        1) not invented here, 2) not enough XML involved in that spec, 3) it's nearly two decades old so there must be a better and more modern way of setting a bit by now, 4) it's strictly binary and this time around we want to make it more inclusive, 5) junior developer we recently hired recommended doing this with React instead of vanilla TCP/IP, 6) bits can be flipped so it should be securely recorded on the blockchain instead plus we could create an entire NFT economy from this to replace that archaic insuranc

  • Cyberwar isn't... (Score:2, Interesting)

    ... you can simply "end" the cyberwar by not putting your shit online. But we can't expect the hypocrisy of giant tech companies like apple/google/ms not to do that in their bid to take us back to mainframe computing of the 60's with trusted computing.

    Jesus the worst thing that happens is bugs in cpu's or code are taken advantage of that have some legitimate purpose and are used to take control of a device. But this is because the industry never built most CPU's with security in mind because cpu speed and

    • But how will data brokers get that sweet, sweet telemetry data if people disconnect? /s

      The war for security was lost back in the 1990s when the MBAs decided that "security had no ROI". A few lessons happened, like DOS/Windows viruses which fried motherboards and even monitors (back when throwing a wrong signal at a CRT would damage it). However, even with ransomware, there is still either a "it won't happen to us", or a "the hackers can get no matter what, so why bother" attitude in a lot of places.

  • Insurance (Score:5, Interesting)

    by chill ( 34294 ) on Wednesday August 31, 2022 @03:32PM (#62841009) Journal

    Cyber Insurance companies are tightening the requirements and being much more aggressive on ensuring best practices. I've provided documentation for our provider for the last three years and they're getting a lot pickier and more detailed. They've also started denying more claims where companies can't provide documented evidence that they were in compliance with best practices and had an active monitoring program. That whole "promise of reducing risks" is starting to happen as the dollar values start to get painfully high and it finally matters to the bottom line.

    Special war risk insurance riders [investopedia.com] are a thing. The definition of "act of war" will be for the courts to enforce if an insurance company denies a claim for that reason.

  • Simple Answer (Score:4, Interesting)

    by geekmux ( 1040042 ) on Wednesday August 31, 2022 @03:37PM (#62841021)

    Humans won't behave any differently dodging enemy bullets or bytes. The simple answer is the valid one; The one you can blame it on, pays.

    We're going to look for blame until we find it for something that big. Plain and simple. Hell, we might even start a real war trying to find blame for a virtual one.

    Yeah, we're that good n' ignorant.

    • The one you can blame it on, pays.

      This is almost never true, especially in cases that involve insurance claims.

      Blame all you want, a bag of money will not fall from the sky to make you whole.

    • by AmiMoJo ( 196126 )

      If the person to blame is in another country where you can't realistically sue them, then what? And even if you can sue, how long will that take?

      That's the point of having insurance. It pays out quickly so you can recover, and even if they ultimately can't get the money back from the person who was to blame.

      The acts of war exclusion wasn't a big deal for most people because they didn't live anywhere near a warzone. But cyber war, that has no front lines or geographical limits. To make matters worse, a lot o

      • If the person to blame is in another country where you can't realistically sue them, then what? And even if you can sue, how long will that take?

        That's the point of having insurance. It pays out quickly so you can recover, and even if they ultimately can't get the money back from the person who was to blame.

        The keyword in "Cyberwar" is War, so let's drop the insurance bullshit already. No insurance is going to come to your rescue, and even if it did, handing 10 million dollars of insurance money to a business owner that just had ALL of their engineering and design data nuked by ransomware, isn't going to magically make things all better again.

        An attack causes damage.

        A war, is a means to end you. Insurance will try and sell you otherwise, but in the end you'll be fucked by fine print like always.

        • by AmiMoJo ( 196126 )

          In that case maybe these aren't acts of cyber war. North Korea ransoming your files for Bitcoin is just ordinary crime, even though it's done by a nation state.

          The problem is there is a big grey area. For example, Russia is known to have interfered in both British and US democracy. Could interference by Russia be insurable? It certainly damaged Facebook's reputation, and cost money to investigate.

          • The problem is there is a big grey area. For example, Russia is known to have interfered in both British and US democracy. Could interference by Russia be insurable? It certainly damaged Facebook's reputation, and cost money to investigate.

            I agree that there is a very large grey area, but perhaps not quite what you think it is.

            First off, "is known" is far from concrete proof. And speaking of proof, it's rather hard to legally prove and define "damage" against someone as large as Facebook, who is now arguably Too Big To Fail. Social media is priceless to the Intelligence community, which causes even more confusion with defining thresholds. Facebook could be "nuked" off the planet tomorrow and the majority of American citizens wouldn't give

  • Such lawsuits by corporations and law firms are an immense drain on society in general. They can drag on forever too. Often, as in this case, they can't solve the problem used to justify them.

    The resources would be better spent on more engineers, programmers, scientists, .. to improve the involved products.

  • As far as I know, you're kind of SOL

    In Ye Olden Tymes, if a privateer snatched your ship, as far as the guys at LLoyds Coffee could tell, pirates got you and paid out... The cargo never came back.

    SO... With those ideas in mind, it SEEMS to me (like that's worth anything) that when we see things that LOOK like warlike acts, we can't PROVE they're acts of war so you get to go fight with the insurance company... Kind of like when they declare stuff an act of god.

    • Well, it seems to be up to the government. Either the government declared it an act of war, of they didn't. Simple test.

      • By that definition, the Vietnam War wasn't a war.
        Russia hasn't declared war on Ukraine, six months after invading.

        Having politicians decide matters of fact is never a good idea.

        • False. There is not, and never was, a Declaration of War Form that gets filled out. The courts have addressed this again and again.

          In Congress spends money to support an ongoing military conflict, it is legally a war. If the draft is invoked, it is a war. If Congress passes a law that declares it fulfills that requirements of the War Powers Act, (such as the post 9-11 authorization did) then it is a declaration of war.

          It is shocking how many people think "declaration of war" means that somebody shouts "I De

          • I'll quote the text of the main relevant international law for you:

            --
            Article 1

            The Contracting Powers recognize that hostilities between themselves must not commence without previous and explicit warning, in the form either of a reasoned declaration of war or of an ultimatum with conditional declaration of war.

            Article 2

            The existence of a state of war must be notified to the neutral Powers without delay ...
            --

            The United States has formally declared war half a dozen times. Despite your wish to believe "there is

            • A quick tip - it's best not to open by calling people "morons" when you're about to spout off about things you know little or nothing about.

              You're a moron. You quote a bunch of irrelevant shit. That does not contradict any point I made, or my conclusion. You carefully avoid actually saying anything at all; you put meta-words around your off-topic quotes to indicate you're wanting to argue... with something. But you can't find anything to argue with, so you fall back on... your support of WWII Germany.

  • Those who are unprepared will pay because they will be the ones that are impacted. Those who have invested in real security (not false promises) will suffer minimal damage due to the limited capability of any one compromised individual. Those who have designed their systems completely around security concepts will not be impacted.

    The only question left is who is prepared and who is pretending.

  • Insurance is not the problem, nor is it the answer. Insurance companies are in the business of selling policies and NOT paying claims. That's their obligation to their shareholders, and its not going to change any time soon.

    The question of whether its an act of war or not should not be based on some obscure definition of the act. It should be based on who did it.

    If the malicious event was perpetrated by a state sanctioned group, it is espionage or war.

    The problem is that its kinda difficult to sue
  • So I guess anything you don't declare isn't war, and must be covered by insurance... Right?

  • NONE of it is an actual war, unless maybe it is North Korea. Congress has been too politically chicken-shit to actually declare any wars since the Korean War (which never technically ended) - they just pass some force authorization act for the President to use, and that way, if he (or in the future, she) uses it in a way that is popular, they can stand up and say they supported the act that let the POTUS do that, and if it's unpopular, they can say they only voted for it reluctantly, and for a much more spe

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...