[BreachExchange] NotPetya malware attack: Chaos but not cyber warfare

Destry Winant destry at riskbasedsecurity.com
Thu Aug 16 09:18:46 EDT 2018


https://www.zdnet.com/article/notpetya-malware-attack-chaos-but-not-cyber-warfare/

The impact of last year's NotPetya cyber attack was felt around the
world, bringing several large organisations grinding to a halt and
costing billions of dollars in damage and lost revenue - but the
attack said to be the work of the Russian military still doesn't cross
the threshold for being classed as cyber warfare, according to one new
analysis.

A new paper published by global cyber insurance and risk management
firm Marshsuggests that NotPetya doesn't meet the requirements to be
classed as cyber warfare because the main impacts were only economic,
focused on civilian infrastructure and that the goal of the attack
wasn't "coercion or conquest".

Despite economic damage and the UK and US governments attributing the
attack to the Russian military, "these two factors alone are not
enough to escalate this non-physical cyber attack to the category of
war or "hostile and warlike" activity," said Matthew McCabe, assistant
general counsel for cyber policy at Marsh.

While the economic costs have cost individual companies hundreds of
millions and have cumulatively reached billions of dollars, the paper
argues that for an attack to be classed as an act of war, it must go
beyond economic damage -- even if that that damage is large.

The report points comments made by then-US President Barack Obama in
2014 in which he described the Sony Pictures attack - attributed to
North Korea as "cyber vandalism." Like NotPetya, no physical damage
was done, and the attack had costly consequences for Sonybut McCabe
argues this isn't enough to class it as an act of war.

"For a cyber attack to fall within the scope of the war exclusion,
there should be a comparable outcome, tantamount to a military use of
force," he said.

A second reason Marsh doesn't see NotPetya as an act of warfare is
because the attack didn't serve any military purpose: the most
prominent victims were in civilian areas likelogistics and
pharmaceuticals.

These are are what McCabe describes as "places far removed from the
locale or the subject of any warfare" and mean that NotPetya can't be
described as an act of war.

Thirdly, the NotPetya campaign wasn't backed up by a military use of
physical force against targets.

"The resulting chaos caused by NotPetya bore greater resemblance to a
propaganda effort rather than a military action intended for "coercion
or conquest," which the war exclusion was intended to address," said
McCabe.

What this ultimately means, the report claims, is that under the
current definitions of warfare, NotPetya wouldn't come under the
category of damage caused by warfare and cyber insurance companies
therefore wouldn't be forced to pay out for losses relating to war
damages.

However, the report points out that the definition of warlike activity
is one hundred years old which suggests it may need to be updated for
the realities of the 21st century.


More information about the BreachExchange mailing list