A Blog by Jonathan Low

 

Aug 25, 2019

Is Hacking An Act of War?

It is increasingly meant to threaten or deliver war-like risk, but stop just shy of traditional definitions regarding the meaning of combat.

As is so often the case, how an attack is defined may be determined by the target's insurance provider.

Ultimately, society has to decide what its limits are - both as a target and as an aggressor. JL


Elizabeth Braw reports in the Wall Street Journal:

Modern technology has made it easier to conduct targeted acts of aggression from far away, in secret or by proxy, putting businesses on the front line. Attacks on businesses linked to foreign governments are becoming increasingly frequent. Businesses are cheap, easy and largely risk-free targets. Western countries’ march toward smart cities, and their increasing use of the internet of things, make their companies and residents vulnerable. It’s dangerous to insulate companies from risks they take on, but hybrid warfare is an unpredictable danger imposed on the entire market.
Who should pay for the damage Iran has inflicted on tankers in the Strait of Hormuz? It’s longstanding practice for insurance companies not to cover acts of war. Taking on the risks of warfare, which lays waste to entire regions, would expose an insurer to ruin. But conventional acts of war also entail heavy risks for aggressors, making them a less prevalent danger to business. Modern technology has made it easier to conduct targeted acts of aggression from far away, in secret or by proxy, putting businesses on the front line.
In the best-case scenario, today’s hybrid warfare drives up the cost of insurance enormously, as in the Strait of Hormuz. Anthony Gurnee, CEO of Ardmore Shipping, told CNBC in July that the cost of covering a trip through the strait had grown 10-fold in two months.
Other corporate victims of foreign assaults are even unluckier. Two years ago, the NotPetya attack, a virus targeting Ukrainian government agencies and businesses, spread to various multinational corporations. It caused an estimated $870 million in losses to Merck; $400 million to FedEx ’s European subsidiary, TNT Express; $300 million to Maersk, the Danish shipping giant; and $188 million to Mondelez, which makes Oreos.
It’s unclear if some of those companies will get an insurance payout. Mondelez’s and Merck’s claims have both been denied on grounds that the NotPetya attack was an act of war—an argument supported by the fact that several countries including the U.K. and the U.S. attributed the attack to Russia. Both companies are fighting in court with their insurance companies.
Attacks on businesses linked to foreign governments are becoming increasingly frequent. Hackers working for Beijing and Pyongyang regularly target Western companies. Last year the U.S. Department of Homeland Security and the Federal Bureau of Investigation reported that hackers linked to Russian government operatives have attacked American firms in a variety of sectors, including energy, water, aviation and manufacturing. This is the new state of foreign policy. Earlier this summer the U.S. reportedly hacked the Russian grid.
If the risks of hybrid warfare become too high, certain business activities—think sending cargo ships along particular routes or operating critical national infrastructure such as power plants—may become uninsurable. Businesses are cheap, easy and largely risk-free targets. Western countries’ march toward smart cities, and their increasing use of the internet of things, make their companies and residents more vulnerable still.
This means the insurance market has to change, and it’s starting to already. Global corporate insurers are working on models that would allow them to cover companies even if they are targeted by hostile countries or proxies, without bankrupting the insurer. Insurance brokers, in turn, are taking on a more central role in advising companies regarding insurance and risk. The greater danger makes the market more complex to negotiate.
Governments can help by taking the risks to businesses into account in their geopolitical strategies. Roderich Kiesewetter, a Christian Democratic member of the German Parliament, told me that European governments should act together to make sure Strait of Hormuz traffic doesn’t become uninsurable and thus unusable for international trade. “It would be helpful if we monitored the area as part of a joint European mission,” he said.
In the U.S., Sens. Mike Crapo (R., Idaho) and Mark Warner (D., Va.) have introduced a bill styled the Microchips Act, which would require defense and intelligence agencies to develop a comprehensive strategy to deal with Chinese threats to U.S. supply chains, including from cyberattacks.
In extreme cases such as complete power grid failure, there may be no option but for the government and the insurance industry to team up and jointly reinsure the risk, as Britain’s Pool Re does with terrorism.
It’s dangerous to insulate companies from risks they take on, but hybrid warfare is an unpredictable danger imposed on the entire market. Almost any firm could be hit by a cyberattack. Governments need to afford them the protections needed for global commerce to continue.

0 comments:

Post a Comment