What Israel's Bombing of Hamas Hackers May Mean for the Insurance Industry
Commonly considered as an act of war, insurance companies often claim cyberattacks are excluded from their policies. Military action against hackers may strengthen the case for insurers, but also give birth to new types of policies
In fact, the U.S. defense establishment has been mulling over its response in this emerging area of warfare for some time. In 2011, the Pentagon provided a report to the U.S. Congress that read: “When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country.” The Pentagon further warned that “We reserve the right to use all necessary means—diplomatic, informational, military and economic—to defend our nation, our allies, our partners and our interests.” More recently, The Pentagon also considered countering devastating cyberattacks with nuclear weapons.
What is surprising about Israel’s recent actions, as well as the Pentagon's position, is that, typically, the accepted rules of warfare call for proportionate and appropriate responses to attacks and it remains unclear whether a physical strike as a response to a cyberattack fits within these limitations.
To determine this, we need to better understand the metes and bounds of cyber warfare within the legal context of international laws of war.
According to global policy think-tank Rand Corporation, the term cyber warfare can be broadly described as “actions by a nation-state or international organization to attack and attempt to damage another nation's computers or information networks through, for example, computer viruses or denial-of-service.”
Humanitarian organization the Red Cross is even more decisive: “If the means and methods of cyber warfare produce the same effects in the real world as conventional weapons (such as destruction, disruption, harm, damage, injuries, or death), they are governed by the same rules as conventional weapons.” According to the Red Cross, this would include, for example, jus ad bellum, the right of self-defense.
In contrast to the clear and pragmatic position of the Red Cross, the U.N. still lacks clarity on the subject. Recently, U.N. Secretary-General António Guterres, in acknowledging the growing incidences of cyberattacks, noted that the lack of regulation in cyberwar constitutes a global threat, especially as he thinks that it remains unclear even if the laws of the Geneva Conventions apply to cyberwar, or if cyberwarfare meets the threshold of armed conflict necessary to trigger international humanitarian laws.
As Guterres further noted, this lack of clarity is exacerbated by the reality that state-led cyberattacks are already frequent and are becoming more common. The recently released Mueller report, for example, noted how Russian cyber-espionage and cyber-driven covert influence operations attempted to influence the results of the 2016 U.S. election.
But the efforts to influence U.S. elections are relatively benign given the potential for chaos and destruction. As societies come to rely more on networked infrastructure, cyberattacks will become more prominent, bothersome and potentially even deadly. To this end, Russia has hosted informally formal "meetings with vodka" between its own officials, and representatives from the U.S. and China to help work out what the expected rules of engagement might be in the increasingly common cyberattacks by one state against the other.
On a personal level, there is an increasing likelihood that the next cyberattack might actually disable your own personal or business computer systems. Unfortunately, notwithstanding your position as an innocent bystander to a greater battle, the damage done will likely not be covered by your insurance.
In June 2017, Mondelez International Inc., the maker of, among other things, Oreo cookies, suffered damages to its thousands of servers and computers due to the NotPetya cyberattack. However, its $100 million claim to its insurance company Zurich Insurance Group Ltd. was denied under a standard war exclusion clause, which excludes claim coverage for acts associated with war, including terrorism. Zurich argued that because both the U.S. and the U.K. governments identified the Russian military as the source of NotPetya, it was clearly an attack by a sovereign power and thus was excluded from coverage. In the fall of 2018, Mondelez sued Zurich for failing to pay on its obligations, the case is still ongoing.
Typically, courts have examined such suits in one of two ways: the common meaning approach that looks to whether the war-like act in question would commonly be seen to be an act of war, and the technical approach, which looks to legal specificities, like whether or not the act is part of a formally declared war. In assessing these options, a California court recently found that the conflict between Israel and the non-state actor Hamas could be construed as a war for insurance purposes in Universal Cable Productions LLC vs. Atlantic Specialty Insurance.
Zurich’s exclusion clause is particularly broad, so it is likely to prevail over Mondelez in any event. However, the aforementioned Israeli response to the cyberattack may serve to further enmesh future cyberattacks squarely within the scope of any standard wartime exclusion clause under both the technical and common understanding methodologies. While in the short run this might be bad for a number of businesses, given the potential for a growing number of cyberattacks by state and quasi-state actors, it might, in the longer-term, create a viable market for cyberattack insurance. This is actually something that the U.S. Department of Homeland Security has been lobbying for some time, perhaps, so it won’t feel bad for collateral damage associated with a decision to counterattack the next TerroristCyberHq.exe.
Dov Greenbaum, JD PhD, is the director of the Zvi Meitar Institute for Legal Implications of Emerging Technologies and Professor at the Harry Radzyner Law School, both at the Interdisciplinary Center (IDC) Herzliya.