The dan­ger of call­ing out cy­ber­at­tack­ers

The Progress-Index - - OPINION -

The $100 mil­lion law­suit that Mon­delez, the maker of Oreos and Cad­bury choco­late, has brought against Zurich In­sur­ance Group shows that gov­ern­ments should be more care­ful about iden­ti­fy­ing the would-be cul­prits in pu­ta­tive cy­ber­wars: Such claims can have un­in­tended con­se­quences, and can some­times harm busi­nesses.

In June 2017, a mal­ware pro­gram dubbed ExPetr or NotPetya wreaked havoc at Dan­ish ship­ping gi­ant Maersk, U.S. pharma ti­tan Merck, Rus­sian state-owned oil com­pany Ros­neft and a num­ber of other big cor­po­ra­tions, in­clud­ing Mon­delez. NotPetya used an ex­ploit known as Eter­nalBlue, cre­ated by the U.S. Na­tional Se­cu­rity Agency and leaked ear­lier in 2017.

In Fe­bru­ary 2018, Bri­tain of­fi­cially blamed Rus­sia for the un­usu­ally pow­er­ful cy­ber­at­tack. The U.S., Canada and Aus­tralia quickly fol­lowed as part of what was re­vealed later to be a co­or­di­nated diplo­matic ac­tion. The of­fi­cial state­ment from the White House called the mal­ware "part of the Krem­lin's on­go­ing ef­fort to desta­bi­lize Ukraine" and said it demon­strated "ever more clearly Rus­sia's in­volve­ment in the on­go­ing con­flict." Cy­ber­se­cu­rity com­pa­nies found that the at­tack had first struck in Ukraine.

The of­fi­cial at­tri­bu­tion to Rus­sia by Western gov­ern­ments fits the nam­ing-and-sham­ing pat­tern es­tab­lished in re­cent years. They don't feel com­pelled to pro­vide any proof: That's un­nec­es­sary if the idea is to tell Rus­sia, "We know what you're do­ing." Rus­sia in­vari­ably de­nies in­volve­ment, so the con­se­quences are usu­ally lim­ited to a pub­lic­ity blast.

But not in this case: The Mon­delex-Zurich dis­pute could set a nasty prece­dent, rais­ing the ques­tion of whether the rules of busi­ness need to be changed to take into ac­count the Brave New World of cy­ber­at­tacks.

Mon­delez claimed $100 mil­lion on its in­sur­ance pol­icy be­cause it be­lieved the per­ma­nent dam­age to 1,700 of its servers and 24,000 lap­tops, in­flicted by NotPetya, plus the theft of thou­sands of user cre­den­tials, un­ful­filled cus­tomer or­ders and other losses fell un­der the pro­vi­sion of its in­sur­ance pol­icy that cov­ered "phys­i­cal loss or dam­age to elec­tronic data, pro­grams, or soft­ware" caused by "the ma­li­cious in­tro­duc­tion of a ma­chine code or in­struc­tion." In June 2018, Zurich coun­tered that NotPetya fell un­der an ex­clu­sion in the pol­icy cov­er­ing "hos­tile or war­like ac­tion in time of peace or war," which meant the in­surer didn't have to make good on the claim.

Mon­delez sued, as­sert­ing that Zurich's ap­pli­ca­tion of the ex­clu­sion to a cy­ber­at­tack or, in­deed, to any­thing but con­ven­tional war­fare was un­prece­dented. The bur­den of proof in a case like this is with the in­sur­ance com­pany. Cy­ber­at­tacks are no­to­ri­ously dif­fi­cult to at­tribute, and even ev­i­dence col­lected by cy­ber­se­cu­rity com­pa­nies may not be con­vinc­ing to a court.

In this par­tic­u­lar case, how­ever, Zurich can re­fer to a num­ber of of­fi­cial state­ments by Western gov­ern­ments de­scrib­ing NotPetya as part of a Rus­sian hos­tile ac­tion against Ukraine. But, as is usual with dis­clo­sures from in­tel­li­gence agen­cies, no proof was of­fered to back up the ac­cu­sa­tion. The law­suit raises the ques­tion of whether the claims from of­fi­cial sources should be ad­mis­si­ble as ev­i­dence, even when they lack sub­stan­ti­a­tion.

The U.S. and other gov­ern­ments should think hard about whether the ques­tion­able ben­e­fits they get from the pub­lic ac­cu­sa­tions are worth the po­ten­tial fall­out: What if courts and lawyers ac­tu­ally start be­liev­ing the cy­ber­war nar­ra­tive and act­ing as if any dam­age caused to Western com­pa­nies is unin­sur­able war dam­age? Does the lan­guage of war re­ally pro­vide a good de­scrip­tion of the cur­rent cy­berspace ri­val­ries? What will hap­pen to the in­sur­ance of cy­ber risks if any at­tack could po­ten­tially be de­clared part of a war?

The cy­ber­war nar­ra­tive is tit­il­lat­ing, but it's also rather point­less. Per­haps it's time to tone it down, or at least think twice be­fore us­ing such strong lan­guage.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.