By Russ Banham
A foreign country launches a physical attack by air, sea and land against a large American city, resulting in extraordinary property destruction and the loss of untold lives. Is this war? You bet.
But what if the same country launches a cyber attack against the electric power grid in the same city, radically disrupting the flow of business for tens of thousands of companies over a period of many weeks and contributing to the deaths and injuries of dozens? Is this war? That’s where things get complicated.
Across the globe, there is no statutorily agreed upon definition of cyber war. Neither the Hague Conventions nor the Geneva Convention references the term. The United Nations and NATO also do not define what it is (or isn’t). Even the U.S. Defense Department’s 2015 Law of War Manual—a document defining a broad spectrum of wartime actions—has no mention of “cyber war” or “cyber warfare.”
Why care? Because of the war exclusion found in the vast majority of insurance policies, which determines coverage for losses arising out of war or war-like actions. If a cyber attack were considered war, insurers would be on pretty firm legal ground to exclude any and all insured losses deemed a result of the warlike event. But what if the attack on the power grid is not cyber war? Without a clear definition, the insurance industry must tread carefully to exclude coverage.
At a time when insurance brokers see cyber insurance as a fast-growing business opportunity, the world’s inability to come to a consensus puts brokers in a very uncomfortable position. They are stuck between corporate risk managers concerned about potential uninsured losses and insurance markets still struggling to find their way with emerging cyber-related exposures.
“As risk advisors, we’re in uncharted territory,” says Eric Seyfried, senior vice president and cyber and E&O leader at Aon Risk Solutions. “Since we haven’t seen a nation-state-sponsored defined act of war or terrorism in a cyber context, we don’t know if it would be covered or not.”
“Cyber-security experts have been wrestling for some time to legally define what cyber war is and isn’t,” says David Inserra, a policy analyst at the Heritage Foundation who specializes in homeland security and cyber policy. “It’s a big gray area. Maybe the first time everyone agrees it has happened, the insurance industry will activate the war exclusion and businesses would pay. But businesses can’t keep paying all the time.”
What If the Government Declares It?
The United States hasn’t officially declared war since World War II yet has been involved in numerous other conflicts since then. And when it comes to insurance coverage, many feel that it takes that official declaration to activate the war exclusion.
“There’s the traditional declarative state of war, such as FDR’s declaration of war against imperial Japan following the attack on Pearl Harbor, and then there’s all these other events that may or may not constitute acts of war or hostility,” says Alan Cohn, former assistant secretary for strategy and planning at the Department of Homeland Security and currently of counsel at law firm Steptoe & Johnson. “Unless the president declares something an act of terrorism or an act of cyber war, it’s unclear what the effect would be. Legally, it’s a very muddy area.”
Cohn should know. During his time working for the federal government, discussion arose several times over declaring cyber events to be terrorism or an act of war. “A similar debate is now under way trying to determine the difference between traditional war and the various types of cyber attacks and disruptions we see today,” Cohn says.
“Until an event is analyzed and declared an act of war, it isn’t an act of war,” says Lani Kass, a former senior policy advisor to the chairman of the Joint Chiefs of Staff, where she was responsible for high-level military assessments and analyses of international crises. “The key is the declaration.”
Robert Hartwig, a professor of finance at the University of South Carolina and former president of the Insurance Information Institute, agrees with the importance of the declaration in claims outcomes. “It is almost unavoidable that a declaration of cyber war by the president or Congress would encourage insurers to exclude the related losses, which would result in long-lasting claims disputes and protracted litigation between claimants and insurers,” he says.
The importance of the official declaration was apparent in the 2013 Boston Marathon bombing, when claims were not excluded under terrorism policies. This is because the bombing was not officially declared an act of terror. For the same reason, businesses that had purchased terrorism insurance could not file claims under these policies. Terrorism insurance is backed up financially by the federal government’s Terrorism Risk Insurance Act (TRIA). “TRIA requires a formal declaration of terrorism by the Treasury Department to pay out, which was not in the offing [in the Boston bombing],” Hartwig says. “So an event that certainly looked like a terrorist attack was not covered by terrorism insurance.”
Could Engaging in Armed Conflict Be Enough?
Now, as is clear by the many conflicts that continue to occur around the world, regardless of whether a formal declaration of war is made, countries can still engage in warlike actions. “There does not need to be a formal declaration of war for the laws of armed conflict to apply,” says Jody Westby, CEO of Global Cyber Risk, a provider of cyber risk advisory services to government and businesses.
Westby maintains that insurance companies “may reasonably decide to activate the ‘act of war’ exclusion to claims—even if there has not been a formal declaration of war. If it looks like a duck, acts like a duck and quacks like a duck, insurance companies should not need Congress to say it is a duck,” she says.
With traditional war, the term of art is that an act of war involves another nation’s “use of force or armed conflict,” says Adam Segal, director of the digital and cyber space policy program at the Council on Foreign Relations. “But even in such situations, these things are politically defined by context.” Segal notes that context would also be applied to a determination of cyber war. “I’ve been told by Israeli officials that a cyber attack that shut down traffic lights in Tel Aviv would be considered a potential ‘use of force’ and ‘armed attack’ since the country relies on massive mobilization” of soldiers to battle, he explains. “Traffic is bad enough in Tel Aviv as it is. But it’s unlikely the U.S. would go to war over the same thing.”
Under international laws of armed conflict, force must be limited to accomplishing military objectives, and excessive force is prohibited. Also, certain targets are protected, such as hospitals, religious sites, and transportation of sick or wounded. These provisions are intended to prevent unnecessary suffering and destruction.
The same rights may be granted in the context of specific cyber attacks. “The destruction or incapacitation of critical infrastructure like communications, water systems and utility grids could cause extreme suffering and hardship,” Westby says. “In today’s connected society, these networks should be off limits for cyber attacks.”
Such attacks could constitute an act of war, as the attack would shut down the transportation network, curtail the normal course of business for tens of thousands of companies, and plunge millions of people into darkness without access to food and water. “It would likely fall under the definition of ‘use of force,’ giving insurers some ground upon which to deny claims,” Segal says. “But that doesn’t mean the government would see it that way.”
Attribution May Be the Linchpin
What would it take for insurers to make that determination if not a formal declaration? “The key for carriers to activate the war exclusion is attribution,” says Andy Lea, vice president and head of the media, E&O and cyber practice at CNA. “Without attribution—a nation-state stepping forward to declare it perpetrated the cyber attack—it would be forensically difficult to discern who did what.”
If North Korea were to boast that it had unleashed the WannaCry ransomware attack, would the insurer activate the war exclusion in its insurance policies that were affected by the malware? Lea says yes. “To the extent there is a war exclusion in a property and casualty policy and it could be applied,” he says, “we would apply it.”
Julie Bernard, a principal and insurance sector leader at Deloitte Advisory who heads its cyber-risk services practice, agrees. “Here’s the thing with war—it requires attribution. The same would apply to cyber war. You need to know who did it—was it China, ISIS or some guy in a hoodie in a basement…. The problem with cyber attacks, unlike physical attacks, is that it’s not easy to prove the source.”
A case in point is a nation-state that recruits third-party hackers to launch a devastating cyber attack. The target country would need to demonstrate a clear connection between the two parties, particularly if the nation-state denies involvement. Such links are vastly easier to assert and prove in the context of traditional war. “The laws of armed conflict allow a country to use third-party combatants as soldiers,” Westby says, “but they must have distinctive emblems or uniforms, carry their arms openly, and be directed by a person responsible for subordinates.”
A nation-state that recruits hackers to launch a cyber attack fits none of these criteria, subverting the ability of the target nation to assert attribution. “China and Russia have been known to use third parties for cyber attacks, then deny any knowledge or involvement,” Westby says. “If the third parties are not recognized as a lawful combatant and the U.S. declared an act of war against Russia or China, it could theoretically be in violation of the Geneva Convention.”
Without clear attribution, much less an agreed upon definition of cyber war, it remains uncertain how the United States, or any other country, could respond to what it considers to be an act of cyber war. “It may boil down to whether the attack is of such a size, scope or scale that it triggers a nation’s right to self-defense—in the U.N. Charter sense of the phrase—for a cyber attack to be deemed an act of war,” Cohn says. “As yet, this remains untested.”
Cyber War Manuals
Although there is no universally accepted definition of cyber war, there are plenty of attempts at describing what it could be. For instance, the Institute for Advanced Study of Information Warfare describes cyber war as “any action by a nation-state to attack and attempt to damage another nation’s computers, critical infrastructure, or information networks…to deny, exploit, corrupt, or destroy an adversary’s information, information systems, and computer-based networks.”
The Tallinn Manual on the International Law Applicable to Cyber Warfare offers a deeper analysis of what constitutes cyber war. The 125-page document was developed by cyber-security experts from multiple nations working with NATO’s Cooperative Cyber Defense Center of Excellence, which is based in Tallinn, Estonia, hence its name.
NATO set up the center after North Korea was accused of hacking Sony Corporation in 2014. (Today, there is still doubt as to who was responsible.) Despite the center’s NATO sponsorship, the manual does not have the power of a treaty signed by many nations. It essentially is a working document for analysis and commentary.
In the manual, the experts provide examples of what they consider cyber warfare. One example is a nation that acquires control over enemy weapons through cyber means and uses those weapons to attack that country or another. Another example is the use of a botnet, a collection of Internet-connected devices such as computers or smart phones that are infected and controlled by malware, to conduct a distributed denial of service attack against a target country’s electric power grid. Both are introduced in Rule 41 of the manual.
Rule 42 presents another example of cyber war—the superfluous injury or unnecessary suffering of people harmed in a cyber attack. Rule 71 cites an attack against the computers, computer networks and data of medical units and transports as a warlike event. “Some experts contributing input to the Tallinn Manual take the view that a cyber attack that does not result in injury, death and destruction but produces extremely negative effects can be construed as an act of war,” Inserra says. An example listed in the manual is a crippling attack against a major stock exchange that results in a catastrophic stock market crash. However, Inserra notes, “others take the opposite position.”
Since the manual is not a treaty and does not have the power of international law, these examples are essentially suggestions of how governments may define cyber war. Still, the document is important as debate on the subject proceeds. In some cases, it could serve as the basis for an insurer’s interpretation of a cyber attack as “warlike” and therefore excluded from coverage.
Consider Costs, Confer with Clients
The lack of a clear and certain definition of cyber war is reflected in the wide range of cyber policies and exclusions themselves. “The ambiguity of cyber space makes the demarcation between cyber war and cyber crime unclear,” says Daniel Garrie, executive managing partner at Law & Forensics, a consulting firm focused on forensics and cyber security. “Our read of the dozens of different cyber insurance policies in the marketplace indicates different definitions of what constitutes a cyber attack, much less cyber war. Each appears to vary as to specifics.”
For the tens of thousands of companies that have purchased property insurance absorbing their business interruption expenses, there is no assurance their losses would be covered in the event of an act of cyber war.
Speaking on a Marsh webcast on managing terrorism risk last year, Matthew McCabe, senior vice president of Marsh’s cyber practice, “suggested businesses should be particularly vigilant for language that would apply the exclusion to any act of a foreign nation state,” reported the Claims Journal.
“Cyber has created a vast, untested category of claim that could well fall between the cracks in many commercial insurance programs,” Hartwig says. “Just because the president and members of Congress refer to a specific cyber event as an act of war or an act of terrorism does not necessarily mean it fits the insurance industry’s definition of an act of cyber war. It’s a huge gray area.”
And were it to happen, the cost could be staggering. For example, an attack on a city’s electric grid that shuts down critical infrastructure could have more than $1 trillion in economic impact, according to a 2015 Lloyd’s study on behalf of the city of London. The insurance institution estimates a cyber attack would result in as much as $71.1 billion in claims, assuming they are all paid.
The onus is on insurance carriers now to carefully consider these consequences before they occur and for brokers to confer with clients in the interim.
Until then, Segal maintains, there has to be more clarity in the insurance industry as to what is covered and what isn’t for different types of cyber attacks. “Insureds and insurers need to figure out where their responsibility begins and ends,” he says. “The ambiguity needs to be narrowed.”
Banham is a Pulitzer Prize-nominated investigative reporter. [email protected]