Innocent Cyber Bystanders Entangled in an Act of War
Thursday, January 3, 2020, may very well be an inflection point in the history of modern cyber warfare. U.S. President Donald J. Trump ordered a lethal missile strike on a convoy of vehicles carrying General Qassem Soleimani, an influential Iranian military leader, in Iraq’s capital. As expected, international reactions varied greatly. According to The Wall Street Journal, Iraqi Prime Minister Adel Abdul-Mahdi felt the actions breached previously agreed-upon terms with the U.S., Iranian Supreme Leader Ali Khamenei threatened vengeance, French Foreign Minister Jean-Yves Le Drian pleaded for no further escalations between Iran and the U.S., U.S. Democratic party leaders demanded a clear strategy regarding the potential fallout, while many Republican leaders praised the actions for retaliating against past and current Iranian aggressions towards the U.S.
There is one thing that many parties agree upon in the aftermath of the incident, and it is reflected in the ancient Hammurabi code, the U.S. should prepare for retaliatory attacks- an eye for an eye. The start of a new decade may usher in cyber warfare as the new normal in global combat.
Iran, the U.S., and Their Shared Cyberwarfare History
Forbes contributing editor, Zak Doffman, shared some prescient thoughts during the summer of 2018. “Iran understands that retaliation against the U.S. military in the cyber domain might be akin to throwing rocks at a tank, but it can hit the vast and under-protected U.S. corporate sector at will.” At the time of Doffman’s comments, Iran and the U.S. were in the midst of a cyber-skirmish. As reported in Forbes, U.S. Cyber Command attacked Iran’s military computer systems after Iran destroyed a U.S. drone conducting surveillance. Iran counterattacked by hacking the unpatched Microsoft Outlook systems of firms in the U.S.
In February 2019, an article in The New York Times reported that Iranian hackers stepped up their attacks on American assets including banks, businesses, and government agencies. This increase in cyber warfare was possibly due to the 2018 withdrawal by President Trump from the Iran nuclear deal, also known as the Joint Comprehensive Plan of Action (JCPOA). The Stuxnet worm attack on Iranian nuclear facilities during the last decade adds to the Iran/U.S. cyber warfare narrative, but the recent event in Baghdad may trigger the most widespread cyber campaign ever against the U.S. Evidence of this has already begun, with a group of hackers claiming to be from Iran breaching the website of the Federal Deposit Library Program. While arguably this is a so-called soft target, it is nevertheless emblematic of the type of disruption that can be expected as rhetoric and hostilities are only beginning to escalate.
Innocent Cyber Bystanders entangled in an Act of War
In preparation for a swift response from Iran and its sympathizers, American businesses must revisit their current cyber insurance policies or procure coverage asap if none exists. While cyber insurance simply places a fixed price on the uncertainty following a cyber-attack, the actual exercise of reviewing a current policy or procuring a new policy allows an organization to remain current with the most recent threats. There are several key coverages every comprehensive cyber policy must contain such as security breach response, multimedia, extortion, business income interruption, and reputational harm loss for example. However, a new risk that must be accounted for involving cyber is the act of war exclusion found on many property policies. Merck Pharmaceuticals and food giant Mondelez were a few of the hundreds of global companies directly affected by the 2017 Russian-born Notpetya cyber-attack.
While initially focused solely on Ukrainian assets, viruses like Notpetya are easily spread among computer networks and soon this attack became global in nature. According to the Insurance Journal, Merck’s direct and indirect losses totaled $1.3 billion and over 30 insurers and reinsurers denied coverage due to Merck’s property policies specifically excluding acts of war. While Merck took many of these insurers to court, such as AIG and Allianz, the fallout from the breach continued as the pharmaceutical giant struggled to reopen several production facilities that were shuttered. Mondelez suffered a similar fate in the aftermath of Notpetya, and it has taken Zurich to court over $100 million in both direct and indirect hardware and supply chain claims that were denied due to the act of war exclusion. The insurance industry must realize that companies such as Merck and Mondelez are not willing combatants in international disputes, and these companies should not be subject to denial of coverage due to actions beyond their control.
The industry must update its policy language and keep pace with rapid changes in technology, in fact, it can learn something from the recent actions taken by the Federal Aviation Administration (FAA). The FAA recently updated its laws to ensure pilots of Unmanned Aircraft Systems (UAS, or drones) are competent operators of their drones via a comprehensive exam, and the pilots must obtain an FAA Airman Certificate to be compliant. As drone technology has advanced allowing for greater height, speed, and other technical capabilities the FAA has wisely updated its laws to protect the interest of the public and keep pace with technology.
Equally as troubling to the act of war exclusion is the situation known as “silent cyber,” the unknown exposure in an insurance portfolio created by a cyber risk that has neither been excluded nor included. Corporations must consult their risk managers/insurance brokers to ensure that their policies specifically address acts of war relating to cyber, and are not silent regarding cyber risks.
While the U.S. awaits more retaliation on the part of Iran, American businesses must act now to prepare for the inevitable cyber warfare on the horizon…or risk becoming innocent bystanders caught in collateral damage.