Cyber terrorism and cyber war: facing down the invisible enemies
A state-sponsored cyber attack could cause losses too large and uncertain for insurance alone to absorb.
Our societies are undergoing a process of change with profound consequences: digital transformation. As companies, governments, and individuals proceed with this transformation, their activities are moving online. This evolution is underway in all areas, and just as a growing part of our work is changing in form, so are the risks. And they are being multiplied, because along with the traditional risks, we need to consider the digital ones. In fact, cyber attacks are already one of the biggest threats to the insurance industry.
Broadly speaking, the main risks on the internet are:
- Cyber crime: the most common risk. It encompasses criminal activity based on the abuse of technologies and the internet. Committed by organizations or individuals, usually to make money.
- Cyber terrorism: in this case, the attack has political, ideological or religious motives and aims to exert influence or generate fear.
- Cyber war: offensive and coercive activities carried out by a state with the aim of inflicting damage or gaining an advantage over other countries.
Although cyber security represents a major challenge for insurance, these last two forms, digital terrorism and warfare, are especially problematic. Both have tremendous potential to do damage, but in the case of war, that is, state-sponsored cyber war, the risk is incalculable. One of the main problems is that the difference between the two, while clear on paper, is far more ambiguous in reality. How can the accountable party be identified? How can we work to provide solutions in the insurance industry? How can we establish limits for what insurance can and cannot cover? War is a risk that is excluded from most insurance policies, although this approach is starting to adapt to the new scenarios generated by cyber attacks.
A recent event spotlights the importance of this issue. In 2017, there was a massive cyber attack on the Ukraine that affected multinational companies, causing millions in losses that they claimed from their insurance companies. The aggression was widely believed to have been committed by Russian military intelligence, so the insurance companies took advantage of the acts of war exclusion. But the courts are rejecting this argument, arguing that the concept of war in the contracts is understood as traditional armed conflict. The consequences of this interpretation are tremendous: in the most notorious case, a sentence in January awarded payment of 1.4 billion dollars to a single company affected by the cyber attack in Ukraine.
In view of the uncertainty, the Geneva Association (GA), an organization representing the world’s leading insurance companies and reinsurers, and the International Forum of Terrorism Risk (Re)Insurance Pools (IFTRIP) have published a series of reports to shed light on this issue. Among the experts relied on by these organizations are Daniel Largacha, director of MAPFRE’s Global Security Center, and Óscar Taboada, head of Cyber Risks at MAPFRE RE.
A new concept: “Hostile cyber activity”
The dilemma of how to address the “ambiguous gray area” between different types of cyber attacks and their possible state sponsorship is so complex that even insurance professionals cannot fully agree on how to name and categorize this field. And this is not a pointless debate: the lack of definition when handling these types of claims has already generated costly litigation, with the subsequent reputational damage to the insurance companies involved, and above all, a loss of confidence in the sector. As a solution, the GA proposes a new term, “hostile cyber activity” (HCA), a concept that closes the gap between digital terrorism and acts of war while establishing a starting point for work.
Hostile cyber activity (HCA) “refers to generally, but not invariably, covert attacks aimed at economic targets or at undermining or destabilizing public life (including democratic processes) or public trust, using cyber means or triggers perpetrated generally by, on behalf of or with the practical support and/or moral encouragement of nation states,” according to the report.
Although it is a broad definition, the study is specific when predicting the impact of these types of attacks, distinguishing between “destructive” and “disruptive” consequences.
- Destructive Impact: causes physical damage. It could take the form of an attack that, for example, shuts down the cooling systems of gas turbines (used in power plants and transportation), opens the sluice gates of dikes, and closes the safety valves on pressurized water tubes.
- Disruptive impact: refers to the unavailability of systems, services, and digital infrastructure. Examples include ATM blocking, the hacking of bank accounts, causing computer outages or data corruption in hospitals, emergency services or critical public services, and even attacking the power grid, resulting in blackouts and the interruption of food and fuel distribution chains.
Identifying the accountable parties
Once the framework is established, the attack must be attributed, a process that is often “inherently difficult,” according to the experts at the Geneva Association. First we must distinguish between the three actors who could be responsible: criminals, terrorists, and states, keeping in mind that for behavior to be characterized as HCA, a state must be responsible. In most cases, categorization will depend on this critical point: whether the accountable party is a terrorist organization or a state. “Attribution and responsibility are the main challenges that the insurance industry must address, because rapid, transparent international coordination would be necessary to resolve many cases, and this is not happening today, nor do we expect to see a solution in the next few years,” says Daniel Largacha.
The difference between the two provides a clue but also represents an obstacle. Terrorists need notoriety; they tend to claim their attacks. A nation state acting covertly, on the other hand, not only has no incentive to take public responsibility, but will try not to leave any traces that could be used to attribute the attack.
The report proposes a framework for insurance professionals with key steps and simple questions to answer, ranging from the country’s security regulations and whether it carries out a serious investigation to the coordination of the attacks and the participation of official and military forces in them. This framework determines states’ non-existent, low, medium or high involvement in several cases, such as their direct action, their incitement or simply not interfering with the attackers. However, in order for this methodology to be successful, a greater effort to unify criteria at the international level is needed, the Geneva Association warns.
But for insurance purposes, since the attribution of an attack will determine whether its damages are covered by the contract, and even the amount of the compensation, those ultimately responsible for establishing unclear responsibility will be the courts. The most reliable evidence for attribution comes from investigations by police, intelligence services, and private companies, which are often outside of the public domain. On this point, the report is categorical: insurers can only establish hostile cyber activity if the accusation is public and backed by evidence. It also cites two halfway scenarios: the attribution is made public but without evidence, which “may not be enough for the insurance company to use it in court,” or the accusation is made by a “dubious” country when it is “unlikely that attribution will be used in court; the insurer has to prove it with evidence.”
Solutions from the insurance industry
Currently, potential damages from hostile cyber activity are covered in a limited manner by the insurance industry. But the transformation of risks and their migration towards the digital realm requires insurance to be more present in this area. However, this growth cannot be driven by insurance companies alone.
“The potential losses caused by cyber terrorism or HCA events are too large and uncertain for the reinsurance market alone to absorb,” according to the global industry association, which proposes public-private partnership (PPP) as a potential solution. Through such partnerships, the public sector would absorb part of “maximum” cyber risks, which, considering examples such as large-scale blackouts or attacks on power plants, would have an unfathomable economic impact.
Although this form of collaboration could vary depending on the jurisdiction, the study points to some successful examples of existing PPPs in other areas, such as the German firm Extremus, which covers damages for terrorist attacks up to a limit, after which the country responds; the French company Assuratome and its coverage of nuclear accidents; and the Insurance Compensation Consortium in Spain with its response to natural disasters.