[BreachExchange] The Danger of Calling Out Cyberattackers

Fri Jan 11 10:18:57 EST 2019

https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks

A bizarre $100 million lawsuit shows that companies can be collateral
damage when governments publicly blame other countries for hacks.

The $100 million lawsuit that Mondelez, the maker of Oreos and Cadbury
chocolate, has brought against Zurich Insurance Group shows that
governments should be more careful about identifying the would-be
culprits in putative cyberwars: Such claims can have unintended
consequences, and can sometimes harm businesses.

In June 2017, a malware program dubbed ExPetr or NotPetya wreaked
havoc at Danish shipping giant Maersk, U.S. pharma titan Merck,
Russian state-owned oil company Rosneft and a number of other big
corporations, including Mondelez. NotPetya used an exploit known as
EternalBlue, created by the U.S. National Security Agency and leaked
earlier in 2017.

In February 2018,  the U.K. officially blamed Russia for the unusually
powerful cyberattack. The U.S., Canada and Australia quickly followed
as part of what was revealed later to be  a coordinated diplomatic
action. The official statement from the White House called the malware
“part of the Kremlin’s ongoing effort to destabilize Ukraine” and said
it demonstrated “ever more clearly Russia’s involvement in the ongoing
conflict.” Cybersecurity companies found that the attack had first
struck in Ukraine.

The official attribution to Russia by Western governments fits the
naming-and-shaming pattern established in recent years. They don’t
feel compelled to provide any proof: That’s unnecessary if the idea is
to tell Russia, “We know what you’re doing.” Russia invariably denies
involvement, so the consequences are usually limited to a publicity
blast.

But not in this case: The Mondelex-Zurich dispute could set a nasty
precedent, raising the question of whether the rules of business need
to be changed to take into account the Brave New World of
cyberattacks.

Mondelez claimed $100 million on its insurance policy because it
believed the permanent damage to 1,700 of its servers and 24,000
laptops, inflicted by NotPetya, plus the theft of thousands of user
credentials, unfulfilled customer orders and other losses fell under
the provision of its insurance policy that covered “physical loss or
damage to electronic data, programs, or software” caused by “the
malicious introduction of a machine code or instruction.” In June
2018, Zurich countered that NotPetya fell under an exclusion in the
policy covering “hostile or warlike action in time of peace or war,”
which meant the insurer didn’t have to make good on the claim.

Mondelez sued, asserting that Zurich’s application of the exclusion to
a cyberattack or, indeed, to anything but conventional warfare was
unprecedented. The burden of proof in a case like this is with the
insurance company. Cyberattacks are notoriously difficult to
attribute, and even evidence collected by cybersecurity companies may
not be convincing to a court.

In this particular case, however, Zurich can refer to a number of
official statements by Western governments describing NotPetya as part
of a Russian hostile action against Ukraine. But, as is usual with
disclosures from intelligence agencies, no proof was offered to back
up the accusation. The lawsuit raises the question of whether the
claims from official sources should be admissible as evidence, even
when they lack substantiation.

The U.S. and other governments should think hard about whether the
questionable benefits they get from the public accusations are worth
the potential fallout: What if courts and lawyers actually start
believing the cyberwar narrative and acting as if any damage caused to
Western companies is uninsurable war damage? Does the language of war
really provide a good description of the current cyberspace rivalries?
What will happen to the insurance of cyber risks if any attack could
potentially be declared part of a war?

The cyberwar narrative is titillating, but it’s also rather pointless.
Perhaps it’s time to tone it down, or at least think twice before
using such strong language.