The $100 million lawsuit that Mondelez, the maker of Oreos and Cadbury chocolate, has brought against Zurich Insurance Group shows that governments should be more careful about identifying the would-be culprits in putative cyberwars: Such claims can have unintended consequences, and can sometimes harm businesses.
In June 2017, a malware program dubbed ExPetr or NotPetya wreaked havoc at Danish shipping giant Maersk, U.S. pharma titan Merck, Russian state-owned oil company Rosneft and a number of other big corporations, including Mondelez. NotPetya used an exploit known as EternalBlue, created by the U.S. National Security Agency and leaked earlier in 2017.
In February 2018, the U.K. officially blamed Russia for the unusually powerful cyberattack. The U.S., Canada and Australia quickly followed as part of what was revealed later to be a coordinated diplomatic action. The official statement from the White House called the malware “part of the Kremlin’s ongoing effort to destabilize Ukraine” and said it demonstrated “ever more clearly Russia’s involvement in the ongoing conflict.” Cybersecurity companies found that the attack had first struck in Ukraine.
The official attribution to Russia by Western governments fits the naming-and-shaming pattern established in recent years. They don’t feel compelled to provide any proof: That’s unnecessary if the idea is to tell Russia, “We know what you’re doing.” Russia invariably denies involvement, so the consequences are usually limited to a publicity blast.
But not in this case: The Mondelez-Zurich dispute could set a nasty precedent, raising the question of whether the rules of business need to be changed to take into account the brave new world of cyberattacks.
Mondelez claimed $100 million on its insurance policy because it believed the permanent damage to 1,700 of its servers and 24,000 laptops, inflicted by NotPetya, plus the theft of thousands of user credentials, unfulfilled customer orders and other losses fell under the provision of its insurance policy that covered “physical loss or damage to electronic data, programs, or software” caused by “the malicious introduction of a machine code or instruction.” In June 2018, Zurich countered that NotPetya fell under an exclusion in the policy covering “hostile or warlike action in time of peace or war,” which meant the insurer didn’t have to make good on the claim.
Mondelez sued, asserting that Zurich’s application of the exclusion to a cyberattack or, indeed, to anything but conventional warfare was unprecedented. The burden of proof in a case like this is with the insurance company. Cyberattacks are notoriously difficult to attribute, and even evidence collected by cybersecurity companies may not be convincing to a court.
In this particular case, however, Zurich can refer to a number of official statements by Western governments describing NotPetya as part of a Russian hostile action against Ukraine. But, as is usual with disclosures from intelligence agencies, no proof was offered to back up the accusation. The lawsuit raises the question of whether the claims from official sources should be admissible as evidence, even when they lack substantiation.
The U.S. and other governments should think hard about whether the questionable benefits they get from the public accusations are worth the potential fallout: What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage? Does the language of war really provide a good description of the current cyberspace rivalries? What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?
The cyberwar narrative is titillating, but it’s also rather pointless. Perhaps it’s time to tone it down, or at least think twice before using such strong language.