What is any self-respecting ransomware “business entrepreneur” to do?
The US Government has recently (at the Biden/Putin June summit meeting) made it clear to the Russian Government (and so implicitly to others) that it considers 16 sectors “off-limits” in terms of being targets for cyberattacks and the use of ransomware. For the likely list see CISA’s website.
Delving into the realm of game theory, the questions then become why would one create and publicize such a list, and whether doing so will actually deter or invite attack, as it is obvious that the “off-limits” sectors are exactly the ones which any ambitious criminal or malevolent state actor should target in order to cause maximum damage or inconvenience, or to extort for “ransom”. Of course, it is also arguable that everything should be off-limits. However, we are dealing with one government telling another where, in theory, it will “draw the line” in terms of finding it necessary to be seen to respond and exact a price from the perceived aggressor.
The problem is, as we have written before, that proving that a particular event was “state-sponsored” or directed is awkward. Even if one has irrefutable “proof”, disclosing it may reveal how that was gathered, compromising existing intelligence-gathering, as well future “counter-measures”. One does not wish one’s opponent to see one coming or to know how one got there!
And that fact is causing problems in the world of providing cyber covers, where policies often have exclusions for “terrorism”, or Acts of War. How does a (re)insurer prove that an event was an excluded one? Where does and should the burden of proof lie? Can you ever prove “beyond a reasonable doubt” that “X” not only caused an event, but did so at the direction of a state entity? Do you have to revert to “the balance of probabilities”?
When serious money is at stake, the debate becomes quite heated, and then ends up in court- vide the continuing Mondelez/Zurich saga over a cyberattack from 2017 involving the NotPetya ransomware onslaught.
Be that as it may, it does beg the question of how cyber (re)insurance underwriters should build their portfolios. Can one truly risk-weight the probability of an attack, and thus a potential claim, based upon the existence of a list and a publicly-issued threat (at least so far as US covers are concerned)? If, subsequently, the US is able to deter and/or cripple would be cyber-hackers, where might the focus shift next? After all, the reason for ransomware attacks is, in theory, primarily a monetary one. The US may have historically been seen as “where the money is”, but there are now many other parts of the world in which there are wealthy (and perhaps less protected or paranoid) targets.
All in all, the topic is a fascinating one because of its combination of game theory, geopolitics, technology and money. In a world in which losing connectivity would be seen as going back to The Dark Ages, the issue is unlikely ever to go away. So, how can the risks be contained, when the intent behind it is criminal and/or projection of power, but in an often-deniable form? And bear in mind that this in a world of software such as NSO’s Pegasus/ Q Suite, whose capabilities in the “wrong wrong hands” (so to speak) could be truly dangerous at a level not yet seen.
The Awbury Team