Anonymity of cyber threats creates legal headaches for insurance

Cyber technology is now an integral part of all sorts of businesses, and therefore exposes them to an unpredictable range of risks. Foreign actors are increasingly using those vulnerabilities to advance state policies, causing governments to treat cyber attacks as an extension of armed conflict.

That’s according to Scott Anderson, the David M. Rubenstein fellow in Governance Studies at the Brookings Institution. But, he said, even though the legal vocabulary around cyber warfare can be at times misguided, it nonetheless results in complicated issues around insurance policies. He recently wrote an article for legal blog Lawfare about the subject.

Scott Anderson, Brookings
Scott Anderson, David M. Rubenstein Fellow – Governance Studies
Senior Editor – Lawfare

“Specifically we talked there about a lawsuit regarding the Mondelez company, which is a kind of large food conglomerate, that claimed to have suffered … really in excess of $100 million in damages from the NotPetya attack, which was a ransomware-like attack that occurred in 2017, and that basically debilitated a lot of their computer systems, caused lots of damage — actually could have caused much more damage if it weren’t caught through kind of fortunate turn of events somewhat early,” Anderson said on Federal Monthly Insights — Cybersecurity Month 2019. “And they were not the only ones affected, many other companies were affected by NotPetya, as well.”

The U.S., U.K. and other governments have attributed NotPetya as being of Russian origin and something initially deployed in Ukraine as part of the ongoing conflict between the two nations there. The belief of the U.S. government is that from there, the cyber attack spun out of control and reached private computer systems worldwide.

But making certain where a cyber attack came from is still challenging, even for the U.S. intelligence community. Ambiguities and uncertainties about who is responsible persist.

“And that really matters, because under existing insurance policies, who the actual actor is can play a major role in the coverage that insurance providers claim that they are obligated to provide,” Anderson said on Federal Drive with Tom Temin. “It’s also possible that various state actors really are working through relationships with non-state actors.”

Another concern around cybersecurity is modernization, and how to safely terminate legacy systems.

Todd Simpson, chief product officer for the Department of Health and Human Services

Todd Simpson, chief product officer at the Department of Health and Human Services, said that the longer older systems are around, the more likely candidates they become for “brute force” cyber attacks.

“From my perspective, I think that the new technologies that this new CIO [Jose Arrieta] has been bringing to bear, especially around technologies like blockchain, where — proven leaders secure technology, to my knowledge [have] never been hacked,” he said. “You know, and when we use these new technologies in the right use cases, we create a much more secure environment.”

For example, HHS has been using blockchain infrastructure to capture logs and make sure hackers are not hiding their trails, he said. But in general, Simpson suggested reducing the number of systems as an agency modernizes, as well as changing the security posture.

But HHS is made up of several smaller yet significant entities each with their own modernization needs. This is where Arrieta’s ideas around cloud technology come into play, Simpson said.

“His role is to ensure that there’s as little duplication taking place as possible, and as much interoperability taking place as possible, and that there’s scalability in the solutions,” Simpson said. “But I think what Jose is doing to try to get ahead of some of some of this stuff and to ensure that he’s breaking down the silos and getting everybody on the same sheet of music is just being very engaging.”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.