Can cyber insurance cover acts of cyber terrorism?

When the twin towers fell on 9/11, insurance carriers paid out claims of 44 billion dollars, and then decided they really didn’t want to insure tall buildings in Manhattan against terrorism anymore, thank you very much.

Alarmed, the US government created TRIA, the Terrorism Risk Insurance Act, a government-funded backstop for private insurance carriers offering terrorism policies. In the event of another terrorist attack resulting in insured losses of more than $180 million (in 2018), TRIA will pay up to $100 billion—with a “b”—in the event of a large-scale terrorist attack, as officially certified by the US government.

The US modeled TRIA on Pool Re (the “Re” is for reinsurer), a similar program pioneered by the UK following IRA bombings in the early 1990s, including the 1993 IRA bombing at Bishops Gate, then the costliest terrorist attack of all time with losses of more than a billion dollars. In the event of a terrorist attack in the UK, Pool Re pays out to the affected insurance carriers once losses exceed a certain threshold.

Today, governments and insurance carriers are struggling with how to insure against similar acts of terrorism—depending on your definition of the “t”-word—on the cyber domain. An attack on cyberphysical systems could cause significant property damage and even loss of life, but most cyber terrorism policies exclude physical damage. Destruction of a mission-critical database might be covered, for example, but if your chemical plant blows up, that’s probably not covered under existing policies.

In a move that acknowledges this growing risk, Pool Re announced in April 2018 that it now covers acts of cyber terrorism that result in physical destruction. Just one catch: Pool Re only pays out if the UK government publicly labels a particular act “terrorism.”

What exactly is terrorism, anyway?

Consider Stuxnet. As we all know now, Stuxnet was a targeted act of clandestine violence conducted by the US and Israeli secret police against Iran that resulted in damage to cyberphysical systems. The attack was explicitly intended to coerce that country’s politics.

By any reasonable definition, Stuxnet was terrorism. But because nothing the US ever does can be considered “terrorism,” even when it causes terror, destruction of property, loss of life, and so forth, we don’t use the dreaded “t”-word.

The politically charged nature of terrorism, therefore, means that the biggest risk to insurers may be a government’s willingness to label something terrorism in the first place.

The challenge of attribution

Attackers claiming links to ISIS knock a major television news outlet offline for the better part of the day. Incident responders take a closer look, only to discover the attackers were at their Cyrillic-language keyboards during office hours in Moscow. This sounds like fiction, but it happened to France’s TV5 in 2015.

There’s a name for this tactic: a false-flag operation. It is unfortunate that certain radio and cable news outlets have found solace in repeating nonsense that everything and sundry is a false-flag attack. Nevertheless, false-flag operations do take place, and such attacks could prove costly to taxpayers if a terrorism insurance backstop like TRIA or Pool Re pays out for an event that is not, in fact, terrorism.

Attribution is hard, and future attacks might be more sophisticated. Was it terrorism? An act of war? An act of clandestine sabotage flying a false flag? “It’s hard to get a smoking gun, bulletproof evidence,” James Bourdeau, a researcher at the Centre for Risk Studies at the University of Cambridge in the UK, says. “How is an intel agency going to say ‘this country did it’ without burning their sources?”

A government might even choose to wrongly label a destructive event as terrorism to avoid a shooting war. “If it’s not beneficial to the government to call it terrorism, the government doesn’t have to declare it,” Tamara Evan, also a researcher at the Centre of Risk Studies, says. “The attribution issue gets a little willy.”

Responding to such attacks becomes a matter of statecraft, and insurance carriers, and their insured, could find themselves on the hook for damages if a government finds it inconvenient to label something with the “t”-word. “IRA bombings produced many situations just like that in the UK,” Éireann Leverett, founder and CEO of Concinnity Risks, tells CSO. “They gather a bunch of experts into a room and ask them for attribution assessments in private. Then the politicking! Sometimes they pay when they know it wasn’t terrorism, or when they aren’t sure.”

Things get even crazier when we realize that future attacks will likely use cyberweapons developed by the US or UK governments themselves.

When terrorists use NSA cyberweapons

If you build it, they will come.

NSA cyberweapons seem destined to be leaked, lost or stolen and dumped online for all the world to use. Information wants to be free. As we saw with the Shadow Brokers, such weapons will quickly wind up in the hands of other nation-states, and in the hands of criminals and terrorists around the world.

Pool Re is worried that American or British “cyber weapons of mass destruction” will wind up in the hands of terrorists. “Weapons of mass destruction, designed by nation-states for use against their enemies are kept secure and are almost impossible for terrorists to procure,” the Centre for Risk Studies report, funded in large part by Pool Re, concludes. “This may not be the case with equivalent cyber weapons or techniques, some of which seem to find their way onto the dark web. [sic]” (The Shadow Brokers dumped the NSA code on GitHub, not the “dark web.”)

The good news, however, is that terrorists, unlike nation-states, lack the resources to develop their own cyberweapons, at least for now.

Why terrorism is insurable and war is not

War has never been insurable, but terrorism is insurable for the same reason that piracy on the high seas was (and remains) insurable: The resources a pirate or terrorist has available to them are orders of magnitude smaller than a nation-state.

Just as a country’s navy dwarfs a single pirate vessel, the years of work that went into a project like Stuxnet dwarf a terrorist popping boxes with EternalBlue. That’s assuming there are terrorists technically savvy enough to even get that far.

The Centre for Risk Studies report concludes that cyber attacks on chemical plants or petroleum facilities would be devastating, but also that terrorists have so far shown no interest in attempting such attacks. “When ISIS were in possession of oil fields in Iraq, they could have used that equipment for pentesting, however they didn’t, their focus was on territorial gain,” Evan says. “Now there’s a hypothesis they might be more interested in looking more at ways to attack the West, but they don’t have those resources.”

Disorganized rag-tag bands of rebels looking to engage in asymmetric warfare must still overcome a high hurdle—their lack of technical competency. However, Evan worries that in the future such terrorists might employ cyber mercenaries, or, barring that, tools will continue to get easier to use, making it possible for less skilled attackers to get bang for their buck.

Truly devastating attacks remain out of reach of terrorists, at least for now, she says. “The very sophisticated acts of terrorism that cause massive power outages, significant damage to critical infrastructure, if they are possible the only groups that have the budget and the time and the teams to actually achieve those results—and the additional intelligence you might require to pull it off—are nation-state teams,” Evan says. “Those really big acts would be considered acts of cyber war.”

Terrorists like things that go boom

Religious fanatics seeking martyrdom are unlikely to do so from behind a keyboard, Evan speculates. They like things that go boom, smoke and flames and death and destruction, all difficult things for a low-skilled attacker to reliably produce.

She points out that ISIS and related groups often falsely claim responsibility for events like the Grenfell Tower fire, which was an accident, but did not even think about falsely claiming responsibility for NotPetya or WannaCry, which caused widespread damage around the world.

This, Evan says, is a window into the thinking of most terrorists. “An issue with cyber, from a terrorist’s point of view, is that usually there is no certainty that you’re going to create an explosive event.”

The cyber terrorism forecast

Cyber terrorism is probably not going to be a thing in the near term, Evan tells CSO. “Our conclusion in 2016 was that we don’t think that there’s a great likelihood of cyber terrorism happening in the next three to five years.”

The real worry, both Evan and Bourdeau agree, is the risk of systemic events that scale globally. The interconnected, interdependent nature of the cyber domain on which we all now live means that a digital plague could wreak havoc around the world. A modern-day Morris worm might not make things go boom, but the economic impact, and the resulting loss of faith in the fragile internet tower of Babel we’ve built for ourselves, might be even more harmful.

“You don’t get death and you may not get fire,” Evan says, “but a reduced trust in technology may become a motivation for actors in the future.”