Since Russia launched a full-scale military invasion of Ukraine on Feb. 24, questions have resurfaced about the likelihood of a global cyber war. While experts say there isn’t a credible threat at this time, the overall cyber threat landscape is leading to caution.
“I personally believe that the threat of cyber attacks against U.S. infrastructure and other large-scale cyber disruptions in the United States is greatly, greatly elevated right now, maybe the highest that it’s been in history actually,” said Jon Bateman, a fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, on the most recent episode of The Insuring Cyber Podcast.
He warned against attributing the increased cyber threat landscape solely to the recent events in Ukraine, however, as risks have been growing even before the war.
“It’s very hard in this environment to attribute events or vet the claims that are being made publicly,” he said. “And it’s easy to jump to conclusions if there is some kind of cyber disruption that it must have something to do with the conflict in Ukraine.”
Regardless of why the threats are growing, Adam Levin, founder of CyberScout and co-founder of Credit.com, author and host of the “What the Hack with Adam Levin” podcast, said later in this episode that companies have to stay alert and train their employees.
“Businesses need to anticipate that they’re going to be targeted, and they have to act accordingly,” he said. “There’s a wonderful phrase in the cyber world that was coined by Bruce Schneier. It’s that if you think throwing a ton of money at technology is going to solve your security problems, then you don’t understand security and you don’t understand technology. Because you could have the greatest technology in the world, but you’re only as strong as the weakest individual that has access within your organization to that technology.”
Levin recommends a framework he developed and refers to as “the three M’s.” It involves minimizing the risk of exposure and reducing the attackable surface, monitoring for risks, and managing the damage. Importantly, he cautioned businesses and individuals to always remember who they’re facing.
“[Cyber criminals] are sophisticated, they’re creative, they’re persistent,” he said. “We all have day jobs—whether it’s raising a family, running a business, being involved in educational activities or philanthropic activities, we have a day job. But to a hacker, to a phisher, to a scammer, to an identity thief, we are their day job.”
He said this means companies and their employees will need to adapt as the risks are everchanging.
“It means approaching all of this from a completely different perspective where you understand the fact that you have a stake, an ownership, as an employee, in the privacy and security of your organization,” he said. “It’s really about creating a culture of privacy and security from the Xerox room to the boardroom and back again. Or if you’re working from home for a company, from the living room to your home office and then throughout your entire household.”
For insurers, heightened cyber threats are also presenting challenges regarding war exclusions in policies. In a paper Bateman authored on “War, Terrorism, and Catastrophe in Cyber Insurance” for Carnegie, he said this is a challenging gray area because although war exclusions in insurance policies can date back to the 1700s, they had never been applied to cyber incidents until the 2017 NotPetya attack.
This attack occurred when the Russian government unleashed data-destroying malware called NotPetya, infecting hundreds of organizations in dozens of countries and causing an estimated $10 billion in losses. But some property/casualty insurers declined to pay NotPetya-related claims, instead invoking their policies’ war exclusions. These are clauses that deny coverage for hostile or warlike action enacted by states or their agents.
“It’s a time of flux and uncertainty in the area of how insurance coverage actually applies,” Bateman said.
Part of the confusion around how these terms are used in cyber policies is due to uncertainty regarding what cyber war actually means.
“I think when people use the term cyber war, they’re often talking about one of two things. One of those would be a nation state aggression in cyberspace, one government hacking another country that would be so serious that by itself that would be an act of war,” Bateman said. “I think the other thing that people are often talking about when they say cyber war is when two countries really are at war in a traditional physical sense, like Russia and Ukraine are today, and cyber operations then become a part of that war. And that’s really what we’re seeing right now.”
Adding to the challenges is the fact that the insurance industry has seen an unprecedented level of disruption outside of cyber risk, he said.
“This outbreak of cyber war, if it does occur, is happening at the worst possible moment in financial terms for an industry that’s been pummeled by ransomware and more broadly by COVID and inflation and natural disasters around the world,” he said. “So, at a time of hardening cyber insurance markets, an outbreak of cyber war is in some ways the worst nightmare for insurers and reinsurers and could be a historic challenge to the marketplace.”
Check out the rest of this episode to find out what else Jon and Adam had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.