IN BRIEF
- This article sets forth the differences among the various cyber threats, including cyber crime, cyber espionage, cyber terrorism, and “hacktivism.”
- As cyber threats increase in the face of COVID-19 distractions, there likely will be related insurance claims and disputes regarding such claims.
- Paying close attention to the wording of “war” exclusions to assess whether insurers may seek to invoke those provision in the event of a claim will be critical.
In the beginning of the treatise On War, Carl Von Clausewitz explained war as follows:
I shall not begin by expounding a pedantic literary definition of war, but go straight to the heart of the matter, to the duel. War is nothing but a duel on a larger scale. Countless duels go to make up war, but a picture of it as a whole can be formed by imagining a pair of wrestlers. Each tries through physical force to compel the other to do his will; his immediate aim is to throw his opponent in order to make him incapable of further resistance.[1]
Insurance policies often contain so-called war exclusions. These provisions, which can differ significantly in how they are worded, purport to limit coverage for losses arising out of war or warlike actions.[2]
The issue came into recent prominence in 2018 as a result of litigation initiated by Mondelez International, Inc. against Zurich American Insurance Company. Mondelez suffered losses as a result of the malware known as “NotPetya.” According to a Wired article, “[NotPetya’s] goal was purely destructive. It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.”[3] Per Mondelez’s complaint, Zurich denied Mondelez’s claim for insurance coverage based on a war exclusion which purported to exclude coverage for a “hostile or warlike action. . . .”
Although much has been written on the subject of the “war” exclusion, this article seeks to take a deeper dive into cyber threats.
Cyber Threats and the War of Words
States, nonstate actors, and criminal groups regularly engage in malicious cyber activities that eschew easy classification[4] in that subtle differences are often all that separates cyber crime, espionage, terrorism, and “hacktivism.”[5] Cyber crime, in its most simple distillation, is characterized as a crime that involves the use of computer-based means to commit an illegal act.[6] Cyber criminals develop and use various tools that delve deeply and covertly into public, commercial, and private networks[7] and are motivated, for the most part, by financial gain. According to Interpol:
[c]ybercrime is one of the fastest growing areas of crime. More and more criminals are exploiting the speed, convenience and anonymity that modern technologies offer in order to commit a diverse range of criminal activities. These include attacks against computer data and systems, identity theft, the distribution of child sexual abuse images, internet auction fraud, the penetration of online financial services, as well as the deployment of viruses, Botnets, and various email scams such as phishing.[8]
In contrast, the sine quo non of cyber espionage is gathering intelligence—governmental, corporate, or individual[9]—and often involves stealing trade secrets, intellectual property, and confidential government information. Despite the military nexus, and the “real and serious threat” to the state, cyber espionage typically will not trigger “application of international law on the use of force” but rather require a domestic or international criminal law response.[10]
Cyber terrorism and “hacktivism” are also commonly used in describing hostile cyber practices. Cyber terrorism has been defined as “the intimidation of civilian enterprise through the use of high technology to bring about political, religious, or ideological aims, and actions that result in disabling or deleting critical infrastructure data or information.”[11] In turn, a “hacktivist” is a “private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons.”[12] Both of these activities can obviously cause significant damage to a state.[13]
Though certain cyber activities occur “below the level of a ‘use of force’ as this term is understood in the jus ad bellum,”[14] a “lack of agreed upon definitions, criteria, and thresholds for application” coupled with “the rapidly changing realities of cyber operations” continue to raise questions concerning law enforcement versus military responses.[15] Determining the appropriate response may be possible only by discerning the goals and motives underlying the activity,[16] which is usually very difficult in that transparency and attribution are often nonexistent in cyberspace.
Cyber warfare, by contrast, generally “trigger[s] the international law governing the resort to force by States as an instrument of their national policy,” the Law of Armed Conflict,[17] and the associated risks of traditional hostilities.[18]
Universal Cable Productions
A September 2019 decision regarding the war exclusion, albeit not in the cyber context, addressed some of these issues.[19] In that case, the U.S. Court of Appeals for the Ninth Circuit reviewed a lower court decision regarding an insurance claim by two production companies who were forced to relocate the production of a television program from Jerusalem due to Hamas rocket attacks.[20] The insurance company denied coverage on the grounds that the covered expenses were barred by virtue of exclusions for “war” and “warlike action by a military force.”[21] The Ninth Circuit rejected these arguments and held that “war” in the insurance context is limited to hostilities between sovereigns, and that although Hamas has control over Gaza, “Gaza is part of Palestine and not its own sovereign state” and that Hamas “never exercised actual control over all of Gaza.”[22]
Resolving Cyber Insurance Disputes
As cyber threats increase in the face of COVID-19 distractions,[23] it is likely that there will be related insurance claims and disputes regarding such claims. Policyholders, brokers, CFOs, and risk-management professionals should pay close attention to the wording of “war” exclusions to assess whether insurers may seek to invoke those provision in the event of a claim.
Should a dispute arise, stakeholders may want to consider utilizing alternative dispute resolution methods. As discussed in a prior article by the authors, there may be unique advantages to doing so in the context of a cyber insurance dispute, including, among other things, confidentiality and the ability to select a neutral who is versed in the key technical issues.[24] Doing so will allow the parties to go straight to the heart of the matter and perhaps, to the chagrin of Clausewitz, avoid the duel.
[1] Carl Von Clausewitz, On War 75 (Michael Howard & Peter Paret, eds., 1989 ed.).
[2] IRMI, “War Exclusion.”
[3] See Andy Greenberg, The Untold Story of NotPetya, the Most Devasting Cyberattack in History, Wired, Aug. 22, 2010.
[4] See Scott J. Shackelford, In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012, 64 Stan. L. Rev. Online 106 (Mar. 8, 2012).
[5] See Tom Bradley, When Is a Cybercrime an Act of Cyberwar?, PC World, Feb. 20, 2012; see also Brad Lunn, Strengthened director duties of care for cybersecurity oversight: Evolving expectations of existing legal doctrine, 4 J. L. & Cyber Warfare 1, 109–137 (2014).
[6] Oona A. Hathaway, Rebecca Crootof, et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 834 (2012); Gary Solis, Cyber Warfare 1 (unpublished manuscript) (on file with authors).
[7] See Chris C. Demchak, Wars of disruption and Resilience: Cyber Conflict, Power, and National Security 8 (2011).
[8] Interpol (last visited April 23, 2015).
[9] Tallinn Manual on the International Law Applicable to Cyber Warfare 193 (Michael Schmitt ed., 2013) [hereinafter Tallinn Manual] (defining cyber espionage narrowly as “any act undertaken clandestinely or under false pretences [sic] that uses cyber capabilities to gather information.”). The Tallinn Manual was developed “to help governments deal with the international legal implications of cyber operations.” See, e.g., Manual Examines How International Law Applies to Cyberspace, IT World (Sept. 3, 2012) (noting that The Cooperative Cyber Defense Center of Excellence, which “assists NATO with technical and legal issues associated with cyber warfare related issues,” created the Tallinn Manual to address a variety of cyber legal issues). The Tallinn Manual examines the “international law governing cyber warfare” and encompasses both jus ad bellum and the jus in bello. Tallinn Manual, supra, at 4.
[10] Tallinn Manual, supra note 9, at 4.
[11] William L. Tafoya, Cyber Terror, FBI Law Enforcement Bulletin (Nov. 2011).
[12] Tallinn Manual, supra note 9, at 259.
[13] See, e.g., Nicole Perlroth, Anonymous Attacks Israeli Web Sites, N.Y. Times, Nov. 15, 2012; Michael Rundle, 'Anonymous' Hackers Declare Cyber War On North Korea, Claim Internal Mail System Hacked, Huff. Post UK, Apr. 4, 2013.
[16] See Bradley, supra note 5.
[17] Tallinn Manual, supra note 9, at 4.
[18] See Philippa Trevorrow, Steve Wright, et al., Cyberwar, Netwar and the Revolution in Military Affairs 1, 3 (2006) (discussing how modern societies are, for the most part, highly dependent on the continuous flow of information); Michael McMaul, Hardening Our Defenses Against Cyberwarfare, Wall St. J., Mar. 6, 2013, at A19 (“Digital networks could be used as a conduit to gas lines, power grids and transportation systems to silently deliver a devastating cyberattack to the U.S.”).
[19] Peter Halprin & Nicolas Pappas, Cyber Insurance for Critical Infrastructure and Debate About War, IIoT World Cybersecurity Blog (Nov. 5, 2019); see also Michael Gervais, Cyber attacks and the laws of war, J. L. & Cyber Warfare 1.1, 8-98 (2012).
[20] Universal Cable Productions, Inc., v. Atlantic Specialty Ins. Co., 929 F.3d 1143 (9th Cir. 2019).
[23] See, e.g., Peter A. Halprin & Jacquelyn Mohr, COVID-19 Cybersecurity and Insurance Coverage, N.Y.L.J. (Apr. 20, 2020).
[24] See, e.g., Peter A. Halprin & Daniel Garrie, Arbitrating Cyber Coverage Disputes, 29 Coverage Magazine 1 (Winter 2019); see also Michael Gervais, Cyber attacks and the laws of war, J. L. & Cyber Warfare 1.1, 8-98 (2012).