By Zak Doffman
The nature of warfare has changed, with a new “mix and match” multidimensional approach from aggressor states and their proxies. In the military sphere, this means attacks in one domain can lead to retaliation in another—military strikes following cyberattacks, for example. But, of more note, targeted or indiscriminate cyberattacks on civilian infrastructure and the commercial sector have become a softer and easier to reach target than locked down military or intelligence platforms. All of which is proving a challenge to traditional definitions of warfare.
Get started on your Homeland Security degree at American Military University.
The blurred lines between the military and civilian domains and the ease by which cyberattacks can be launched on targets thousands of miles from home have become a game-changer. Military dominance is undermined if the home-front is woefully vulnerable to a catastrophic attack. While we read headlines about long-range missiles being tested in North Korea or developed in Iran, the fact is that a takedown of a country’s energy grid or transportation network or health service is a far greater risk. And that risk doesn’t need any scientific developments and rogue supply chains—it exists today.
These new developments, all taking place under the broader umbrella of hybrid warfare (which also includes propaganda, spheres of influence, media manipulation and population interference) require new definitions, clarity and, ultimately, rule of law. The difficulty in direct nation-state attribution and the obfuscation of state-sponsorship of hacking groups is a serious issue for the practicalities of holding actors to account and ensuring that retaliation is directed at the right place. As we have seen in the Middle East with escalating tensions between the U.S. (and allies) and Iran (and Russia and China), non-attributable cyberattacks are themselves an opportunity for aggressor states to suggest nefarious “false flag” activity on the parts of the “good guys.” Put simply, misdirecting attention.
One of the sectors heavily impacted by this new interchangeable style of warfare is the reinsurance market. “In the cyber space,” explains Anthony Cordonnier, Head of Cyber at Swiss Re, “it is extremely difficult to attribute aggressive behaviour without doubt and even more difficult to pinpoint motivation. This in turn has led to difficulties in enforcing war exclusions in a fair manner.”
A new White Paper from reinsurance broker Capsicum Re argues that the evolving “cyber peril” has now “transcended traditional lines of business, challenging the very concept of war.” The issue for the insurance market, Capsicum Re says, is that this might “render current war exclusionary language unfit for purpose.”
Not an issue when the U.S. and Iran are taking physical or electronic shots at each other in the Gulf, but a real issue when your IoT devices take down a business department for a day or result in a data breach that costs millions. Because then it’s the insurance market you turn to, and if you find yourself on the wrong side of a “warfare exclusion” clause, it could be catastrophic.
The insurance industry “needs to demonstrate that it is not seeking an easy way out,” says Swiss Re’s Cordonnier. Instead, we should “adapt war exclusions to reflect the realities of the modern world.” But Cordonnier raises the challenge that if this redefinition goes too far, letting “war exclusions be weakened or even removed without having an alternative concept in place,” insurers could find themselves making “unethical” financial commitments “that the balance sheets of [those] private companies are incapable of meeting.”
The White Paper written by Capsicum Re’s head of cyber, Ian Newman, explains the “Attribution Line,” the point at which a cyberattack becomes an act of war. “Traditionally an act of war goes beyond the realm of insurable interest—as such, attribution, whereby the parties involved are readily identifiable, becomes a critical test of whether indemnity can or cannot be provided following a cyber attack.”
That test, though, is now more fluid than ever for all the reasons above. In the last week or two, we have seen disclosures on state-sponsored threat actors attacking utility companies, Microsoft customers being attacked through VoIP phones and office printers, even cyberattacks on the video games industry. And that attribution is never clear-cut, it is join-the-dots research backed by educated conjecture. “In order to resolve this issue,” Newman says, “the market must strive to agree a line at the crossroads between the unattributed and the attributed.”
Traditional insurance definitions of warfare have focused on directly attributable physical conflict, “extreme violence, aggression, destruction, and mortality, using regular or irregular military forces,” Newman summarizes, before proposing additions: “Weaponized non-physical assets, for example covert, coded intelligence networks, and internet infrastructure, such as cloud service providers and their associated server farms, could and should be included as legitimate military targets.”
For a state of cyber warfare to be in place, an actual state of warfare needs to be in place—although this raises the question as to when that line is crossed. Newman uses the example of Russia and Ukraine, but there are debates to be held in the Middle East as well. Beyond the high-level arguments, the White Paper also delves into definitions, complicated by cyber insurance, definitions of “cyber terrorism” and how those play with terrorism exclusions. All in all, a set of terms and conditions that could use a fresh look.
Stepping back, though, one of the biggest takeaways this year has been the evolution of multidimensional warfare. It has always been there, but now it is significantly more open, transparent and interchangeable than before. Arguably we turned a corner earlier in the year with two game-changers inside the space of a few short weeks: Israel targeted Hamas hackers with a missile strike and then the U.S. targeted Iran’s missile launch systems with a cyberattack. Mix and match and on view to the world—seriously new territory.
The shadowy activities of state-sponsored hacking groups in Russia and China (and North Korea and Iran) have promoted new agencies and defense tactics in the West. And now the job of work of assessing the financial implications and responsibility carve-outs for all that has also begun.