Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?

When UK and US said it was Russia, they weren't thinking of the litigators!

Analysis The defining feature of cyberwarfare is the fact that both the weapon and the target is the network itself. In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz.

The ransomware sought out vulnerabilities and used a modified version of the NSA's leaked EternalBlue SMB exploit, generating one of the most financially costly cyber-attacks to date.

Among the victims was US food giant Mondelez – the parent firm of Oreo cookies and Cadburys chocolate – which is now suing insurance company Zurich American for denying a £76m claim (PDF) filed in October 2018, a year after the NotPetya attack. According to the firm, the malware rendered 1,700 of its servers and 24,000 of its laptops permanently dysfunctional.

In January, Zurich rejected the claim, simply referring to a single policy exclusion which does not cover "hostile or warlike action in time of peace or war" by "government or sovereign power; the military, naval, or air force; or agent or authority".

Office war photo via Shutterstock

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'


Mondelez, meanwhile, suffered significant loss as the attack infiltrated the company – affecting laptops, the company network and logistics software. Zurich American claims the damage, as the result of an "an act of war", is therefore not covered by Mondelez's policy, which states coverage applies to "all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction."

While war exclusions are common in insurance policies, the court papers themselves refer to the grounds as "unprecedented" in relation to "cyber incidents".

Previous claims have only been based on conventional armed conflicts.

Zurich's use of this sort of exclusion in a cybersecurity policy could be a game-changer, with the obvious question being: was NotPetya an act of war, or just another incidence of ransomware?

The UK, US and Ukrainian governments, for their part, blamed the attack on Russian, state-sponsored hackers, claiming it was the latest act in an ongoing feud between Russia and Ukraine.

Either way, it is evident that the result of the case will have enormous ramifications for cyber insurance policies and a significant impact on the monetisation of cybercrime. If Zurich's approach is successful, it could also lead to a loss of confidence in cyber insurance as an investment – ironically devaluing Zurich's product.

Are war exclusion clauses fit for purpose under International Humanitarian Law as cyber-attacks?

The juxtaposed nature of cyber-attacks and war, which has connotations of devastation and loss of life, leads to questions about whether the NotPetya attack would meet the standards under International Humanitarian Law (IHL). In order for IHL to be applicable, there needs to be an "armed conflict" – however, the term itself is not defined within the treaties.

Notably, there are two types of conflict governed by the IHL: International Armed Conflict (IAC) and Non-International Armed Conflict (NIAC).

Due to the ongoing conflict between Russia and Ukraine, we'll look at whether or not the NotPetya attack could be considered an International Armed Conflict; if it was, it could possibly fulfil that exclusionary clause. There are three points we need to look at.

1: Was the attack 'international' in nature?

Since the US and the UK accused Russia, this allowed the often problematic notion of attribution to arise, and possibly led Zurich to justify the war exclusion clause.

There are competing views regarding the attribution, with both the GRU – the Russian Military Intelligence Agency – and Russian-sponsored hackers accused. Legally, an IAC exists when hostilities between two states occur, so if it were the Russian military agency (being an organ of the state), the international element would suffice.

However, if it were non-state actors (NSA), in order for the conflict to be classed as international, the state would have to have "overall control" of the NSA. For those interested in the case law, this principle is outlined by the International Criminal Tribunal for the former Yugoslavia (ICTY) in The Prosecutor v Dusko Tadic*.

If there was sufficient control of these groups, where a state has issued directions on specific cyber acts to cause significant damage, the international aspect could be fulfilled. However, it is clear from jurisprudence that mere support alone in the form of financing, training and equipping falls below this threshold. Therefore, the difficult burden of attribution will lie with the defence of Zurich.

2: Was the 'armed conflict' requirement sufficed?

Due to an absence of treaty definition, there have been competing views on what level of "armed" is required. It has been argued that the traditional approach cannot govern cyber-attacks as these are not kinetic acts. However, the growing consensus is that IHL is applicable.

The minds behind the Tallinn Manual – the international cyberwar rules of engagement – were divided as to whether damage caused met the armed criterion. However, they noted there was a possibility that it could in rare circumstances.

Professor Michael Schmitt, director of the Tallinn Manual project, indicated (PDF) that it is reasonable to extend armed attacks to cyber-attacks. The International Committee of the Red Cross (ICRC) went further to enunciate that cyber operations that only disable certain objects are still qualified as an attack, despite no physical damage. There will be no doubt Zurich will have to consider the wider implications and rising tensions between Russia and Ukraine for the attack to be considered an armed conflict, which, based on a lack of previous cyber operations, would be unlikely.

3: Was the threshold of 'armed attack' met?

The attack is defined as an act of violence against the adversary in article 49(1) of the additional protocols to the Geneva Convention. Although controversy surrounds the cyber application due to the requirement of physical damage, which is usually associated with violence involving physical force, and it is unclear where the line would be drawn, the consensus is that attacks resulting in non-violent operations such as psychological cyber or espionage would not qualify as an attack.

There have been different approaches taken to assess what physical force is required about a cyber equivalent. Tallinn Manual's Schmitt insists (PDF) that the attack must result in injury or physical damage to objects. Whereas Dr Knut Dörmann, head of the legal division at the ICRC, extended the concept, saying that though it might not necessarily result in injury or damage, it could be partial destruction (see here).

A competing view reflects a greater extent of duration and intensity, meaning that a single cyber incident that causes limited damage, destruction, injury or even death would not suffice nor be classified as IAC. Due to the uncertainty, the current proceedings would have to tread carefully in how they define the level of damage as widening the threshold could warrant an avalanche of insurance claims and also reduce the threshold for conflicts.

The future outcome... or just the beginning?

The unfolding nature of the case will be highly anticipated. However, it will likely remain that the NotPetya cyber-attack could not reach the high thresholds currently set out by the IHL framework as an IAC.

The proceedings highlight the inadequacies of the current international regulation. The case will hopefully guide the limits of insurance coverage. However, the case may leave questions unanswered and create new ones, such as: is IHL the best way to go forward about cyber damage? How should cyber conflict be defined?

And lastly: if it is decided that this kind of damage from cyber-conflicts is uninsurable, how will this impact the companies that are hacked? ®

* Dusko Tadic was charged by the ICTY with a list of crimes allegedly committed in the Prijedor region of Bosnia-Herzegovina between 25 May 1992 and early August of the same year [PDF]. The Appeals Chamber found that "the armed forces of the Republika Srpska were to be regarded as acting under the overall control of and on behalf of the [Federal Republic of Yugoslavia]". (Our emphasis.)

Similar topics

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022