BreachExchange mailing list archives
NotPetya malware attack: Chaos but not cyber warfare
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 16 Aug 2018 08:18:46 -0500
https://www.zdnet.com/article/notpetya-malware-attack-chaos-but-not-cyber-warfare/ The impact of last year's NotPetya cyber attack was felt around the world, bringing several large organisations grinding to a halt and costing billions of dollars in damage and lost revenue - but the attack said to be the work of the Russian military still doesn't cross the threshold for being classed as cyber warfare, according to one new analysis. A new paper published by global cyber insurance and risk management firm Marshsuggests that NotPetya doesn't meet the requirements to be classed as cyber warfare because the main impacts were only economic, focused on civilian infrastructure and that the goal of the attack wasn't "coercion or conquest". Despite economic damage and the UK and US governments attributing the attack to the Russian military, "these two factors alone are not enough to escalate this non-physical cyber attack to the category of war or "hostile and warlike" activity," said Matthew McCabe, assistant general counsel for cyber policy at Marsh. While the economic costs have cost individual companies hundreds of millions and have cumulatively reached billions of dollars, the paper argues that for an attack to be classed as an act of war, it must go beyond economic damage -- even if that that damage is large. The report points comments made by then-US President Barack Obama in 2014 in which he described the Sony Pictures attack - attributed to North Korea as "cyber vandalism." Like NotPetya, no physical damage was done, and the attack had costly consequences for Sonybut McCabe argues this isn't enough to class it as an act of war. "For a cyber attack to fall within the scope of the war exclusion, there should be a comparable outcome, tantamount to a military use of force," he said. A second reason Marsh doesn't see NotPetya as an act of warfare is because the attack didn't serve any military purpose: the most prominent victims were in civilian areas likelogistics and pharmaceuticals. These are are what McCabe describes as "places far removed from the locale or the subject of any warfare" and mean that NotPetya can't be described as an act of war. Thirdly, the NotPetya campaign wasn't backed up by a military use of physical force against targets. "The resulting chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for "coercion or conquest," which the war exclusion was intended to address," said McCabe. What this ultimately means, the report claims, is that under the current definitions of warfare, NotPetya wouldn't come under the category of damage caused by warfare and cyber insurance companies therefore wouldn't be forced to pay out for losses relating to war damages. However, the report points out that the definition of warlike activity is one hundred years old which suggests it may need to be updated for the realities of the 21st century. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- NotPetya malware attack: Chaos but not cyber warfare Destry Winant (Aug 16)