WARGAMES: ANALYZING THE ACT OF WAR EXCLUSION IN INSURANCE COVERAGE AND ITS IMPLICATIONS FOR CYBERSECURITY POLICY.

• Author: Shackelford, Scott J.

Table of Contents Introduction I. Unpacking Notpetya, Wannacry, and the Ransomware Epidemic II. Defining "Cyber War" A. Applicable International Law B. U.S. Approach C. Evolution of U.S. Cybersecurity Strategy to Defend Forward D. Attribution Challenges III. Managing Cyber Risks Through Insurance A. Coverage and Cost B. Indiana Survey Findings C. Act of War Exclusion IV. Review of Pending Cases A. Mondelez B. Merck C. Universal Cable Productions LLC D. Other Relevant Litigation E. Insights from Britain V. Policy Implications and Proposed Standard Conclusion INTRODUCTION

On October 15, 2020, six Russian nationals that are alleged to be officers in Russia's main Intelligence Directorate (GRU) were indicted by the U.S. Department of Justice for their roles in a host of recent high-profile cyber attacks including those targeting Ukraine, Georgia, France, South Korea, and the United States. (1) These attacks included some of the most costly and destructive incidents in the history of cyber attacks, including the 2017 NotPetya cyber attack that resulted in more than $10 billion in damages globally. (2) Public attributions of such cyber attacks from the U.S. government back to individual nations, organizations, and even individuals, have been an important lynchpin of the evolving U.S. cyber deterrence strategy (i.e., naming and shaming, despite the difficulties of follow-up prosecution given a lack of necessary extradition and robust mutual legal assistance treaties in many instances). (3) Debate continues to rage about the effectiveness of this approach given the ongoing cascade of cyber attacks targeting both the public and private sectors in the United States--prompting a focus post-2018 on "Defending Forward" (4)--but a perhaps unanticipated knock-on effect has been on shaping the insurance industry.

Cyber risk insurance coverage has become an increasingly vital tool permitting both public and private-sector organizations to mitigate an array of cyber risks, including the prevalent issue of ransomware. (5) However, despite the relatively rapid uptake of these policies, a series of issues and barriers emerged. (6) Litigation has centered on issues ranging from what constitutes "covered computer systems" as many employees are working from home, to questions of negligence. (7)

Among the most vexing issues, with arguably wide-ranging implications for not only the insurance industry, but on U.S. cybersecurity policy generally, consist of when a cyber attack attributed to a foreign nation constitutes an act of war thus excluding coverage. As one example, among those firms impacted by NotPetya was the multination food conglomerate, Mondelez International, which lost more than $100 million in the breach. (8) However, when Mondelez filed a claim with its property insurance firm, (9) Zurich International, to recover these costs, its claim was denied because NotPetya was considered a "hostile or warlike action" by a "government or sovereign power." (10) Mondelez countersued, alleging breach of contract, and the case remains pending in Illinois state court as of this writing. A similar case involving damage from NotPetya on Merck is likewise pending in New Jersey. (11) Yet, the literature to date has largely ignored this pressing issue, (12) which holds the potential to inhibit, or even remove, a useful risk mitigation tool from companies that are already struggling to manage their cyber risk exposure. The absence of this issue from discussions about U.S. cyber deterrence strategy, despite the importance of insurance to many policymakers, (13) is likewise questionable.

This Article makes several original contributions to this debate. First, it couches this issue as part a set of cybersecurity dilemmas facing organizations that are manifest in the ransomware epidemic, the costs of which by some estimates reached nearly $200 billion in 2019 alone. (14) Relatedly, it summarizes findings from a statewide cybersecurity survey that we conducted in collaboration with the Indiana Attorney General's Office that featured a range of questions on cyber risk insurance coverage. Second, it summarizes current pending litigation related to the act of war exclusion, and the impact of the 2019 Ninth Circuit's Universal Cable Productions LLC v. Atlantic Specialty Insurance Company holding, which called into question the efficacy of these exclusions in certain cases. (15) Third, it brings in lessons not only from U.S. cybersecurity policy, but also on the applicable international law on defining acts of cyber war and related challenges of attribution. By way of conclusion, the Article suggests a standard to guide courts, policyholders, and insurance companies in navigating these issues going forward.

The Article is structured as follows. Part I discusses the ransomware epidemic that is an array of public and private-sector organizations, digging into the reasons driving this trend including how certain nation states such as North Korea and Russia are benefiting. (16) Part II then pivots to the issue of defining cyber war, both as a matter of U.S. policy and international law. Part III summarizes the current state of cyber risk insurance coverage through the lens of survey findings undertaken in partnership with the Indiana Attorney General's Office. (17) Part IV reviews pending cases centering on the act of war exclusion, including Mondelez and Merck. Finally, by way of conclusion Part V offers a proposed standard to help both victims, and the cyber risk insurance industry, find a more equitable approach to this vexing issue.

1. UNPACKING NOTPETYA, WANNACRY, AND THE RANSOMWARE EPIDEMIC

   The types of cyber risks that organizations are facing are nearly as numerous as the number of victims. They include spyware, malware, logic bombs, distributed denial-of-service (DDoS) attacks, zero-day exploits, and phishing, just to name a few. (18) Any of these cyber incidents and attacks could trigger cyber risk insurance coverage, and each presents its own set of complex policy issues and potential responses. The following discussion, though, specifically addresses the issue of ransomware and its treatment in insurance policies.

   Ransomware is a type of malware that locks access to a computer until a ransom is paid. It has been a component of the cyber threat landscape since the mid-2000s. (19) There are no comprehensive datasets about exactly how many ransomware attacks are occurring, and how much they are costing victims, but from what limited survey data that is available, ransomware rates increased by more than 300 percent in 2020 even as losses to other types of cyber threats decreased. (20) In 2017, for example, the FBI's Internet Crime Complaint Center (IC3) received nearly 2,000 ransomware complaints costing victims over $2.3 million, though according to surveys, the real annual figure is likely in the hundreds of millions of ransomware attacks. (21) High-profile incidents have included ransomware attacks on series of cities including Baltimore and Atlanta, (22) as well as the U.S. Treasury Department in December 2020. (23) Less understood is how widespread and costly ransomware attacks have been against towns and counties such as Riviera Beach in Florida, which had to pay $600,000 to unlock its data, (24) not to mention schools and hospitals such as Hancock Regional in Indiana, which had to pay $55,000 to attackers in 2020. (25)

   As with an array of groups that benefit from the proliferation of ransomware including criminal organizations, some nation states are likewise using this tactic to cause service disruptions and sew confusion in other nations, (26) but also to raise funds. (27) North Korea, for example, has raised more than $2 billion through cyber attacks including ransomware to fund its weapons of mass destruction programs. (28) All told, according to a 2019 U.N. Security Council report, the North Korean regime has been linked to "at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity designed to earn foreign currency" spread across seventeen nations. (29) North Korea is not alone in sponsoring these attacks, which leave local governments in a difficult position of deciding whether or not to pay the ransom to recover their data and, in so doing, risk encouraging the aggressors to attack more victims. (30) The situation is so problematic that some states, such as Louisiana, have had to declare emergency declarations in response to a wave of ransomware attacks on municipalities across the state. (31) The total number of such attacks "is largely unknown." (32)

   Among the most damaging ransomware attacks to date were the 2017 WannaCry and NotPetya malware attacks. Indeed, for many, the May 2017 WannaCry incident was "the first time they heard of 'ransomware'" as it took down NHS clinics across the United Kingdom (33) The incident was fueled by the Shadow Brokers breach of the NSA's vault of advanced cyber weapons, which included stockpiled vulnerabilities in Microsoft Windows that were code-named EternalBlue. (34) One month later, NotPetya struck using the same Windows weaknesses but this time could not hop from network to network. (35) Instead, the hackers used "a hacked version of a major accounting program widely used in Ukraine," among the local branches of Western multinationals. (36) The fact that this particular exploit, which as we will see had devastating impacts on dozens of firms including Mondelez and Merck, originated in Ukraine was an early sign that Russia should be considered a leading culprit. Simply put: "If a nation were to write malware with the aim of crippling the economy of its target, it might look a lot like NotPetya." (37) Indeed, in February 2018, the White House released a statement saying that NotPetya "was part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the...